In the past twelve months,publicandprivatesector data losses have
reached embarrassing levels, writes Grant Campbell, partner at
Brodies LLP. Neither relentless media attention nor political
andregulatory criticismshave been enough in
themselves to force a change of attitude to data security.In 2009 things look set to get
tougher.
Traditionally cast in the role of quasi-data security officers,
many IT professionals will be all too familiar with the
frustrations of
trying to establish an organisational culture of keeping data
safe. The recent catalogue of problems, which has seen data
lost or compromised everywhere from trains to skips, clearly shows
there is still some way to go in changing the way that we work with
personal data.
2009 will see changes to the regulatory regime which, it is
hoped, will force organisations to take a long, hard look at what
they are doing.
But what is the problem with the regime as it stands and how
will these changes make a difference?
Individual redress
Each of us has a right in terms of data protection legislation
to claim compensation for actual loss or damage, financial or
physical (but not for worry) which we have suffered, if we can
prove the loss stemmed from a particular organisation's breach of
data protection legislation. However, it can be very difficult for
the individual who has suffered, for instance, financial loss
through identity fraud, to prove that it arose from the security
failings of a particular organisation. In addition, even where
compensation might, in theory, be available in a given case, access
to the courts is expensive and time consuming and, ultimately, for
most people, not a realistic option in practice.
All of this means the threat of individual compensation claims
is not high enough to provide a
strong incentive to comply conscientiously with legislative
requirements.
Current regulatory sanctions
As the independent regulatory body charged with policing and
enforcing data protection legislation, the Information
Commissioner's Office has had relatively limited powers to detect
and punish non-compliance so far. The Information commissioner can
investigate any apparent material breach of legislation that comes
to his attention, and is ultimately entitled to serve an
enforcement notice (which carries criminal penalties for
non-compliance) on any organisation which fails to co-operate with
him properly.
However, aside from inflicting reputational damage by
publicising breaches, the information commissioner lacks the
crucial weapon in any regulator's armoury - the power to make
compliance failures costly, in particular by imposing financial
penalties.
In the financial services sector the Financial Services
Authority has,
to some extent, been able to
fill this gap. But for government and the rest of the private
sector, until now there has been no direct prospect of a fine.
What is in store in 2009?
In 2009 a new power will come into force for the information
commissioner to
impose a financial penalty for a serious, deliberate or reckless
breach of any of the data protection principles, including the
one that deals with data security. Further details of this power
are awaited, in explanatory guidance from the information
commissioner and subordinate legislation setting penalty levels. If
handled correctly, this power could be pivotal in the creation of a
new regulatory climate. If the new power is going to be taken
seriously, the level of fines the information commissioner is
entitled to impose will need to be suitably high, perhaps
comparable to those available to the Financial Services Authority
(FSA) which, in 2007, fined Nationwide £980,000 for data security
breaches.
In parallel, the Ministry of Justice consulted over the summer
on funding arrangements and greater audit and inspection powers for
the Information Commissioner's Office (ICO), with the first round
of follow-up legislative amendments expected to be introduced in
Parliament shortly.
All of this points to a stronger regulator driving a much
tighter regulatory regime. The ICO must use these changes to force
the fundamental attitude shift which is now required, if public
confidence in data handling is to be restored in the UK.