PL&B UK E-news, Issue 79

1. Regulatory Enforcement and Sanctions Act soon in force

The Regulatory Enforcement and Sanctions Act, which introduces a risk-based approach to regulation, enters into force (for most parts) on 1 October 2008. The Act comprises four key parts: Part 1 establishes the Local Better Regulation Office; Part 2 makes provision
for more consistent and co-ordinated regulatory enforcement by local authorities; Part 3 introduces new civil sanctions to be used as an alternative to criminal prosecution; and Part 4 sets a duty on regulators not to impose or maintain unnecessary burdens.

The aim of these new powers is to enable regulators to act in a more flexible and proportionate way. In terms of data protection, this means that the ICO can set fixed monetary penalties, and use stop-now powers to forbid a non-compliant organisation to further process personal data. A stop notice must contain the grounds for issuing the notice, the person’s rights of appeal and the consequences of non-compliance. When the regulator is satisfied that the person has taken steps specified in the stop notice, it must issue a “completion certificate”.

The regulators specified in this Act, including the ICO, may accept “enforcement undertakings” offered by a person, a tool that the ICO has already used quite effectively on a non-statutory basis. An enforcement undertaking is an undertaking or promise by a person to take certain actions. Once an enforcement undertaking is accepted, the person may not be prosecuted for the act or omission or have a fixed monetary penalty imposed on them, unless they fail to comply with the undertakings. In case of such non-compliance, the regulator will be able to prosecute the person for the original offence or impose a fixed monetary penalty.

The Act can be downloaded.

2. £22,000 for malicious Facebook entry

A man whose false profile was posted on the networking site Facebook has managed to claim £22,000 in compensation. Mathew Firsht sued for libel and misuse of personal information after Grant Raphael, a man who fell out with him several years ago, created a false Facebook profile for Mr Firsht. The profile included Mr Firsht’s birthday and relationship status, but also false information about his sexual orientation and political views. Raphael claimed that it was a group of friends that created the profile, but the judge ruled that the defence was "built on lies".

Mr Firsht was awarded £15,000 for libel and £2,000 for breach of privacy. Mr Firsht's company was also awarded £5,000 for libel, as the profile claimed that his company was not trustworthy.

The profile was on the site for 16 days before Mr Firsht's brother saw it and had it taken down.

Source: The Times, 24 July 2008

3. PA consulting loses contract after data loss

The Home Office has terminated the contract with PA consulting after PA lost a memory stick containing personal details of all 84,000 prisoners in England and Wales. The data that was reported lost on 18 August includes names and in some cases dates of birth, addresses and release dates.

The Home Office submitted a report to the Information Commissioner on 10 September.

PA accepts responsibility for this incident. However, it stresses that it has a comprehensive system of security procedures and practices in place in order to protect sensitive information. This incident was caused by human failure, PA says.

PA has fully cooperated with the investigation of this incident, and conducted an examination of every one of its projects that handle personal and sensitive data. It says that its review has confirmed that, apart from in this isolated incident, it is ‘fully compliant with robust policies and procedures and achieving high levels of information assurance’.

Another contractor, EDS, was reported, on 6 September, to have lost a hard drive containing the details of 5,000 employees of the Ministry of Justice's National Offender Management Service. Justice Secretary Jack Straw said he has ‘ordered an urgent inquiry into the circumstances and the implications of the data loss and the level of risk involved’.

To avoid this happening to you, learn about DP Act at one of our training sessions:

Introduction to data protection:

18/11/08 Leeds
20/11/08 London
05/03/09 Leeds
10/03/09 London

DP & Marketing:

11/02/09 London

For more information, see

4. Complimentary PL&B webcast: International privacy laws that impact your business

19 September 2008, 3pm

Topics covered:

  • The role and priorities of the European National Data Protection Authorities
  • The US Safe Harbor
  • Differences between the countries with data protection laws: Australia, New Zealand, Hong Kong, Japan and Korea
  • The impact of state data breach laws in the USA


Iain Mcleod – Managing Director SAI Global Compliance EMEA
Stewart Dresner – Chief Executive Privacy Laws and Business

To register, visit

5. Cambridge conference papers available

If you attended our Annual International Conference in July, and want to access reports of the parallel sessions you missed, or just wish to refresh your memory, you can now access conference reports written by our rapporteurs via the Privacy Laws & Business website.  

Please note that this secure part of the website is only available for conference participants. Papers and slides are also available for non-participants to purchase.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2008