What are we to make of the following comment by one of
Europe’s better known, and better respected, Data Protection Regulators:
“Our audits of State organisations have, in too many cases,
shown scant regard by senior management to their duty to safeguard the personal
data entrusted to them – a duty that is all the greater because of the legal
obligation to provide such personal data to the State. Laudable objectives such
as fraud prevention and greater efficiency must meet a test of proportionality
in the manner in which personal data is used. Failure to treat personal data
with respect can only lessen the trust that should exist between the individual
and the State. It will also lead inevitably to more formal enforcement action
by my Office unless system-wide action is taken to improve current practice.”
To me, it indicates that this national regulator is getting
pretty sick and tired of the low data protection standards that are currently
practiced by a significant number of public bodies he is required to oversee. And
that this regulator will continue to take enforcement action against these
public bodies, when appropriate.
So would a national Government, when faced with criticism of
this nature, really be prepared to support the notion of a new General Data
Protection Directive, which heralds higher data protection standards and
therefore a much greater risk of enforcement action against public bodies?
Especially in an economic climate where really hard choices will need to be
made about public spending priorities for many years to come?
There’s nothing wrong with good standards – so long as they
are affordable. But if a Government cannot afford to invest sufficiently to reaching
data protection standards that are already some 14 years old, do I really think
that such a Government would have the political will to be seen to be failing
to reach even higher (ie GDPR) standards?
I think not.
So, in my view, the message from the author of the above
text is that Governments who fail to provide state institutions with the
resources that are necessary to meet Government-mandated data protection standards
should think very carefully before raising the bar even further.
For those who have not yet guessed, the author of the above
remarks is Billy Hawkes, the extremely well-respected Irish Data Protection
Regulator.
Read his latest Annual Report. It's a cracker. What's really depressing is that any of the detailed 19 case studies in the document could so easily have been included in the Annual Report of another national regulator. The issues that face Irish data controllers really are no different to the sorts of issues that face other data controllers. And I have no reason to suspect that the behaviour of data controllers in Ireland is, generally, any different to that of data controllers in other jurisdictions.
Source:
http://www.dataprotection.ie/docimages/documents/Annual%20Report%202013.pdf
.
Posts
