'Glaring holes' in computer data Act: Up to 100,000 groups may hold personal records illegally. Chris Blackhurst reports

Click to follow
The Independent Online
ABOUT 100,000 organisations may be holding personal information on their computers illegally, it was claimed yesterday.

While 250,000 data users should have registered under the Data Protection Act, only 150,000 have so far done so. In a report laying bare the inadequacy of the data protection legislation and raising serious questions about the effectiveness of the Data Protection Registrar, the National Audit Office (NAO) said that one in three small companies and one in six large companies were unaware of their obligation to register.

Among the cases used by the NAO to show the glaring holes in the system was that of a woman going on holiday to the United States. With the confirmation of her flight booking she also received from the travel agent, who was not registered under the Act, a computer list of the names and addresses of her fellow travellers.

In a second case, an unregistered newsagent kept a computer screen containing names and addresses of customers on full view in the shop. In another case, a man was arrested twice by different police forces because of inaccurate information on the police national computer. Research showed that while four out of five people think that access to personal information should be restricted and privacy maintained, only half know about statutory data protection rights and only a third have heard of the Data Protection Registrar. 'Four out of five people are unaware that a law exists giving them clear rights and safeguards about information held about them,' the NAO said.

Eric Howe, the Data Protection Registrar, was criticised by the NAO for not being tough enough. 'The Registrar seeks to encourage and secure compliance with good practice without resorting to his statutory enforcement powers. As a result, only some 200 formal supervisory and similar notices have been served since the Act came into force.'

Most of these have been served because the Registrar was unable to trace a data user after an application to register had been made.

The Registrar was not active enough in enforcing the legislation. He has monitored compliance in a few areas but 'is largely dependent upon complaints from the public to warn him of potential problems'. And he 'does not have a standard practice of visiting all data users in order to inspect compliance after service of a notice'.

Too much effort is directed to persuading organisations to renew their registrations rather than obtaining first-time registrations. Only brief checks are made on applications and 'the accuracy of the information provided is not generally verified'.

Little effort is directed to obtaining new registrations - instead Mr Howe, who has 100 staff and a budget of pounds 3.4m, reports directly to Parliament. The Commons Public Accounts Committee will investigate the NAO's findings in November.

Much of the NAO's criticism was reserved for the Data Protection Act rather than the Registrar. He cannot require information to be supplied to him by data users, except in limited circumstances; he cannot carry audits or inspections; and his powers to enter premises are limited.