The Information Commissioner's Office (ICO) has been granted
new powers to impose fines on organisations that lose
personal data,
following the amendment of the Criminal Justice and Immigration
Act.
Deputy information commissioner David Smith said the change in
law would send a very clear signal that data protection must be a
priority.
The powers represent a step up from the ICO's less draconian
powers to issue an enforcement notice against organisations in
breach of the
Data Protection Act
"The prospect of substantial fines for deliberate or reckless
breaches of the Data Protection Principles will act as a strong
deterrent," he said.
However, Dai Davis, partner at law firm
Brooke North, said
without sufficient funding for the ICO to take legal action against
offenders, the changes would have limited impact.
Others have called for the UK to consider a US-style disclosure
law. to give
the public confidence that private data was safe.
"A break notification law would complement UK data protection
laws and ensure the public is informed when data losses occur so
they can take steps to deal with it," said Greg Day, security
analyst for security company McAfee,
Davis said a disclosure law would have far greater impact than
fines against larger companies who are very wary of adverse
publicity.
He said given that the bulk of the [Data Protection] Act is
still not criminalised, the logical step would be to provide for
mandatory disclosure when information security breaches have been
made, rather than prosecutions that are likely to be rare and
under-funded.
Vinod Bange, associate at law firm Eversheds, said even in the
absence of a data breach notification law, UK organisations should
notify individuals if their personal data has been lost.
Individuals can still take a civil action against organisations
for damage and distress caused by breaches of personal information,
he said.
"It seems inevitable that if organisations want to minimise the
damage and distress to individuals caused by losing or disclosing
personal information, those affected have got to be told," he
said.
UK companies with US connections already had little choice but
to disclose any data breaches because they were unlikely to get
away with treating customers or staff in one jurisdiction
differently from those in another.
"The US laws are aimed at protecting the individual, so if a UK
company were to lose information about someone who lives in
California, it could be liable to the data protection laws of that
state," said Day.
As awareness and concern over data breaches increases and the
trend towards disclosure laws grows, information security will soon
become a necessity for every organisation responsible for private
data.
Recent UK information security breaches
November 2006
Laptop theft exposes Nationwide Building Society customers to risk
of financial crime >>
November 2007
HMRC loses personal details of 25 million child benefit
recipients >>
December 2007
Ministry of Justice loses four disks with details of crime victims
and witnesses >>
HMRC admits losing the personal details of more than 6,500 people
claiming pensions >>
January 2008
MOD loses laptop containing details of up to 600,000 defence
personnel >>
NHS admits losing 4,000 medical and personal records on a USB
memory stick >>
April 2008
HSBC admits losing a disk containing details of 370,000 UK
insurance customers >>