Overlooked - Liberty
Overlooked - Liberty
Overlooked - Liberty
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Overlooked</strong>: Surveillance and personal privacy in modern Britain 119<br />
There is also a power for the Secretary of State to appoint data protection supervisors to monitor data<br />
controllers’ compliance with the Act 230 . These provisions regulate the form of notification but, so long<br />
as the process is complied with, have no other impact. The only effective control on processing is<br />
contained in Section 22 DPA which deals with ‘assemble processing’. This is processing likely to cause<br />
damage or distress to data subjects or which might prejudice their rights and freedoms. The definition<br />
of what would constitute ‘processing likely to cause damage and distress…etc.’ is left to parliamentary<br />
order. Once a parliamentary order has been made, if the ICO believes assemble processing has<br />
occurred he can give notice of his opinion to the data controller and require compliance.<br />
While this might appear to provide some sort of regulatory mechanism, it has not done so. Primarily<br />
this is because no parliamentary order has ever been made, so the provisions have effectively failed<br />
to come into force. However, even if they had come into force, the way the legislation is structured<br />
means that the Commissioner has no power to forbid the processing or require it to be amended<br />
until after is has already been carried out. The ICO enforcement powers contained in Part V DPA are<br />
restricted to when breaches of the data protection principles have already taken place. By this time<br />
the damage may well have already been done.<br />
This rather limited regulatory role fits with the Government’s attitude towards notification essentially<br />
being a regulatory rather than enforcement tool. As Rosemary Jay and Angus Hamilton point out in<br />
Data Protection Law and Practice ‘Notification is not a control mechanism; the Commissioner<br />
cannot refuse a notification’ 231 . The policy driver behind the purpose of notification was set out in<br />
the 1998 Home Office Consultation Paper ‘Subordinate Legislation: Notification Regulations’ which<br />
stated ‘The Government considers that the primary purpose of notification under the new data<br />
protection scheme should be to promote transparency, that is providing to the public and the<br />
Commissioner a clear description in general terms of the processing of personal data’ 232 There is<br />
no mention of enforcement. As mentioned above data controllers must register with the ICO and<br />
processing without registration is a criminal offence. However once registration has occurred there<br />
is little the ICO can do by way of enforcement.<br />
It is this notification regime that will govern mass data matching and data mining processes.<br />
Application of several of the data protection principles: that data shall be processed lawfully and<br />
fairly (the first principle); that it shall be obtained and processed for one of more specified purposes<br />
(the second principle); that it shall be adequate, relevant and not excessive for purpose (the third<br />
principle); and that it be processed in accordance with the rights of data subjects (the sixth principle)<br />
demonstrate the shortcomings of this regime in relation to mass data processing methods. If<br />
multiple processing purposes are registered, the second principle will be adhered to. The third data<br />
protection principle tends to allow considerable leeway in terms of what constitutes adequate,<br />
relevant and non-excessive data in that data matching and mining processes operate on the basis<br />
that an extremely broad range of information will be of use in assessing whether or not someone<br />
might, for example, be involved in criminality. The sixth principle allows, for example, that processing<br />
can be prevented if it would cause substantial damage or distress and if it would be unwarranted<br />
230<br />
Section 23<br />
231<br />
Page 246 Rosemary Jay and Angus Hamilton: Data Protection Law and Practice. Second Edition. Published<br />
by Sweet and Maxwell<br />
232<br />
Home Office 1998 Subordinate legislation: Notification Regulations. No online citation available.