Overlooked - Liberty

Overlooked: Surveillance and personal privacy in modern Britain 119
There is also a power for the Secretary of State to appoint data protection supervisors to monitor data
controllers’ compliance with the Act 230 . These provisions regulate the form of notification but, so long
as the process is complied with, have no other impact. The only effective control on processing is
contained in Section 22 DPA which deals with ‘assemble processing’. This is processing likely to cause
damage or distress to data subjects or which might prejudice their rights and freedoms. The definition
of what would constitute ‘processing likely to cause damage and distress…etc.’ is left to parliamentary
order. Once a parliamentary order has been made, if the ICO believes assemble processing has
occurred he can give notice of his opinion to the data controller and require compliance.
While this might appear to provide some sort of regulatory mechanism, it has not done so. Primarily
this is because no parliamentary order has ever been made, so the provisions have effectively failed
to come into force. However, even if they had come into force, the way the legislation is structured
means that the Commissioner has no power to forbid the processing or require it to be amended
until after is has already been carried out. The ICO enforcement powers contained in Part V DPA are
restricted to when breaches of the data protection principles have already taken place. By this time
the damage may well have already been done.
This rather limited regulatory role fits with the Government’s attitude towards notification essentially
being a regulatory rather than enforcement tool. As Rosemary Jay and Angus Hamilton point out in
Data Protection Law and Practice ‘Notification is not a control mechanism; the Commissioner
cannot refuse a notification’ 231 . The policy driver behind the purpose of notification was set out in
the 1998 Home Office Consultation Paper ‘Subordinate Legislation: Notification Regulations’ which
stated ‘The Government considers that the primary purpose of notification under the new data
protection scheme should be to promote transparency, that is providing to the public and the
Commissioner a clear description in general terms of the processing of personal data’ 232 There is
no mention of enforcement. As mentioned above data controllers must register with the ICO and
processing without registration is a criminal offence. However once registration has occurred there
is little the ICO can do by way of enforcement.
It is this notification regime that will govern mass data matching and data mining processes.
Application of several of the data protection principles: that data shall be processed lawfully and
fairly (the first principle); that it shall be obtained and processed for one of more specified purposes
(the second principle); that it shall be adequate, relevant and not excessive for purpose (the third
principle); and that it be processed in accordance with the rights of data subjects (the sixth principle)
demonstrate the shortcomings of this regime in relation to mass data processing methods. If
multiple processing purposes are registered, the second principle will be adhered to. The third data
protection principle tends to allow considerable leeway in terms of what constitutes adequate,
relevant and non-excessive data in that data matching and mining processes operate on the basis
that an extremely broad range of information will be of use in assessing whether or not someone
might, for example, be involved in criminality. The sixth principle allows, for example, that processing
can be prevented if it would cause substantial damage or distress and if it would be unwarranted
230
Section 23
231
Page 246 Rosemary Jay and Angus Hamilton: Data Protection Law and Practice. Second Edition. Published
by Sweet and Maxwell
232
Home Office 1998 Subordinate legislation: Notification Regulations. No online citation available.