recent work

ICO’s power to spot check private sector firms questioned.

Late in 2012 twenty businesses met with the Ministry of Justice (MOJ) to discuss the proposals being put forward by the EU for a new, tighter, data protection regulation which would replace the existing 1998 Data Protection Act. Articles 46 to 79 of the proposed regulation (due to become law in 2015) relate to the Office of the Information Commissioner (ICO) having the power to spot check private firms’ premises and data handling processing arrangements. Akin to the powers granted to the Health and Safety Executive this would enable the ICO to walk into any business in the UK unannounced and demand to inspect a firm and test its compliance with the law.

In addition to the proposal for spot checks, other major changes include:

  • a requirement for firms to notify the relevant data protection authorities of any serious data breaches within 24 hours;
  • firms with over 250 employees handling personal data must appoint a data protection officer;
  • businesses to respect users’ right to be forgotten;
  • people to have the power to force any firm to delete data stored on their systems.


One of the major elements of the EU’s proposals is changing data protection laws from a directive to a regulation. Directives can be implemented with local differences in each of the 27 Member States whereas Regulations have to be implemented identically.  The UK’s current 1998 Data Protection Act is the result of the EU Data Protection Directive (95/46/EC) and each Member State has a slightly different variation leading to difficulties for businesses with pan-European operations.  In fact a 2011 research piece indicated that the UK came out 21st out of 27 in respect of how tight and rigid our interpretation of the Directive was compared with the other Member States.

Many of the proposed changes to the regulation (and therefore to UK law) are simply reflecting the existing arrangements adopted by other Member States under their interpretation of the ‘95 Directive.  Not only is it unlikely that the overall rule set will be relaxed; but life, data, IT and communications technology are unrecognisable now compared to the mid 90s.   Coupled to that the facts that the new DP Regulation is being driven by German politician Jan Albrecht and the EU has previously been critical of the UK’s data protection arrangements and it seems highly likely that sweeping and significant change is only a matter of months  away.