Letters received from the Information Commissioner in response to my letters shown at intern17.htm and intern28.htm
If any worthwhile responses are received these will be reproduced. However, it is to be noted that the record of the Information Commissioner in the UK is often cited as poor, and with very few prosecutions for what are clear breaches of the Data Protection Act. This is probably one reason why protection of personal data held on computers continues to be lax. For example, there have been examples of customer records held on computer systems becoming available on-line to third parties, including from government computers, banks and other private companies. In 2000, thousands of account details including credit card numbers were made available on-line from an electricity utility. The Company concerned should (arguably) have been prosecuted to the maximum extent allowed by law, yet no action was taken.
These and other examples of a 'softly softly' approach to enforcement of Data Protection can only add to public unease. Two problems are that before the Commissioner will even consider taking action, someone who has been adversely affected has to complain. It is not sufficient merely that a flagrant security weakness is highlighted by a third party. Using this approach, drunk drivers could not be prosecuted until they killed someone - and the person killed would have to be the complainant.
The second problem is that even where a breach of Data Protection is deemed to have occurred, the Commissioner has discretion whether or not to prosecute. Mounting a prosecution involves work and costs money, so it is more convenient for all concerned to close the file and allow it to gather dust.
To end on a positive note, the Information Commissioner Richard Thomas has recently suggested a national debate on retention of personal data. There is increasing unease about the amount that is now collected and the degree with which it is shared between various computer systems. The website is www.informationcommissioner.gov.uk and the email address mailto:mail@dataprotection.gov.uk.