It looks like a batch of good amendments and recent events should have made it easier to get them in.
"Events, dear boy, events."
The UK government wants to grant the Information Commissioner power to demand that data controllers and processors hand over information in just 24 hours – instead of a week – and plan to make destruction of such information an offence. The data protection watchdog hit the headlines when the Cambridge Analytica scandal broke …
The government has also proposed making it an offence for a person to "destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material" – or for someone to permit this to happen.
Making what is clearly covered by existing statutes for fraud, perverting the course of justice or other serious criminal offences into something you can get away with using a good lawyer.
Err... NO PASARAN.
A standard tactic of government is to create a new law which in fact does not add anything to existing law in an effort to be seen to be doing something.
In this case however it may transfer responsibility from the Fraud Squad (which a retired police superintendent of my acquaintance says work rather short hours) to the ICO. But then it may not.
"Making what is clearly covered by existing statutes for fraud, perverting the course of justice or other serious criminal offences into something you can get away with using a good lawyer."
I don't see any rush to bring CA to book for deleting data, nor is it clear what basis there may have been under existing law for doing so if the only thing affected is an ICO investigation.
Nor do I see the ICO's remit overlapping much if at all with what's covered by existing law (statue and common) so why should adding provision for prosecuting destruction of evidence for investigations within that remit affect existing criminal provisions.
"It would also mean that any such disclosure could only be made to the police, and not, for example, to Home Office immigration enforcement officials," the statement said.
That's OK then - not.
Home Office Immigration ask the (Home Office) Police for the data, "Sorry we don't have it - we will get it from the NHS. Can you come back and ask again tomorrow?"
They can all have it but if the data may support my appeal against deportation then I can't have it. All very fair and transparent.
As someone who's been on the receiving end, 24 hours isn't enough time to do it properly. To do that you'd need a team, all properly trained and kept up to date on every database change across an entire organisation, with an on-call rota. A stupidly expensive requirement and terrible security policy to have one set of individuals with access to everything.
Responding to these requests needs to be a team effort, and realistically that means it needs to be a 9 to 5 job.
"24 hours isn't enough time to do it properly. To do that you'd need a team, all properly trained and kept up to date on every database change across an entire organisation, with an on-call rota."
As far as I can make out this isn't about routine subject access requests. This is about ICO investigations and the week-long stand off at CA. Even 24 hours is long compared to being able to roll up at 5am with a sledgehammer.
In fact, I'd go for the ICO being able to turn up at 5am with a sledgehammer.
It's not about SARs. And I wasn't talking about SARs. I was talking about responding to ICO warrants.
Turning up at any time with a sledgehammer won't help you get anything, except publicity, not without the credentials to the hardware security module in the key management server.