ICO warns Digital Protection Act must be clearer

There is a lack of clarity surrounding the Data Protection Act (DPA) the Information Commissioner’s Office (ICO) has said. It now wants to update the DPA to eliminate confusion and give everyone a clearer definition of ‘personal data,’ which it says is currently inadequate.

“The law must be clearer on when consent is required to use personal information and adopt a more pragmatic approach to the regulation of international data flows,” the watchdog said in a statement.

“The allocation of responsibilities amongst those handling personal data also needs to reflect he changing nature of modern day business relationships.”

The response follows the Ministry of Justice asking businesses, regulators and individuals for their views on the UK’s data protection framework. This was to help it negotiate with the European Commission as it reviews EU-wide data protection law.

The European Commission has been banging on about tighter data protection in the UK for a while now, saying it needs to ensure it measures up to EU standards. 

In June the EC said the current protection rules in the UK were insufficient, and that the ICO lacked a number of key powers. Such as being unable to monitor whether other countries’ data protection is adequate in case of cross-over businesses, performing random spot checks on people using or processing personal data and enforcing penalties following the checks.

The consultation, which closed yesterday has spurred the ICO to list a range of improvements that it would like to see in a revised framework.

It is after greater clarity on when consent is required to use personal information as well as improved coordination with freedom of information.

The ICO also told the government that the DPA must be altered to address changes in the way that personal data is collected and used. It said this was because increasing use of online services means that organisations collect new data that the law is unclear about, such as IP addresses.

It also wants to see a better approach to the regulation of international data flows.

“This is one of the aspects of the EU Directive that most needs to be amended to deal more realistically with current and future international data-flows. A future framework should focus much more on risk assessment by the exporting data controller and should be clearer about data controllers’ responsibility, wherever they choose to process personal data,” the document said.

Individuals who knowingly break the DPA have also come under fire. The ICO says that ultimately it wants to see them banged up.

“The Information Commissioner considers that the trade in personal information justifies the possibility of a custodial sentence for the most serious offences,” it said.