Under the law as it stands in the Data Protection Act, 1988, a person found guilty of an offence, including the offence of disclosing personal data obtained without authority, is liable, on summary conviction, to a fine not exceeding £1,000, and on conviction on indictment, to a fine not exceeding £50,000. The report of the Data Protection Commissioner referred to by the Deputy makes no proposal for increasing the penalties provided for in the Act. However, my Department shall keep the penalties under review in consultation with the commissioner.
In so far as codes of practice are concerned, the Act of 1988 already represents a code of practice generally for the processing of personal data. The Act in addition makes express provision for specific codes of practice to be drawn up on an administrative basis and in this connection requires the Data Protection Commissioner to encourage trade associations and other bodies representing data controllers or data processors to prepare those codes for the guidance of their members. I have no general function in the drawing up of such codes other than to arrange for copies of them when made to be laid before each House, but I shall arrange to bring to the attention of the Department of Public Enterprise the suggestion made by the Deputy.
