What are we to make of the following comment by one of Europe’s better known, and better respected, Data Protection Regulators:
“Our audits of State organisations have, in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State. Laudable objectives such as fraud prevention and greater efficiency must meet a test of proportionality in the manner in which personal data is used. Failure to treat personal data with respect can only lessen the trust that should exist between the individual and the State. It will also lead inevitably to more formal enforcement action by my Office unless system-wide action is taken to improve current practice.”
To me, it indicates that this national regulator is getting pretty sick and tired of the low data protection standards that are currently practiced by a significant number of public bodies he is required to oversee. And that this regulator will continue to take enforcement action against these public bodies, when appropriate.
So would a national Government, when faced with criticism of this nature, really be prepared to support the notion of a new General Data Protection Directive, which heralds higher data protection standards and therefore a much greater risk of enforcement action against public bodies? Especially in an economic climate where really hard choices will need to be made about public spending priorities for many years to come?
There’s nothing wrong with good standards – so long as they are affordable. But if a Government cannot afford to invest sufficiently to reaching data protection standards that are already some 14 years old, do I really think that such a Government would have the political will to be seen to be failing to reach even higher (ie GDPR) standards?
I think not.
So, in my view, the message from the author of the above text is that Governments who fail to provide state institutions with the resources that are necessary to meet Government-mandated data protection standards should think very carefully before raising the bar even further.
For those who have not yet guessed, the author of the above remarks is Billy Hawkes, the extremely well-respected Irish Data Protection Regulator.
Read his latest Annual Report. It's a cracker. What's really depressing is that any of the detailed 19 case studies in the document could so easily have been included in the Annual Report of another national regulator. The issues that face Irish data controllers really are no different to the sorts of issues that face other data controllers. And I have no reason to suspect that the behaviour of data controllers in Ireland is, generally, any different to that of data controllers in other jurisdictions.