The Information Commissioner's Office (ICO) has been granted new powers to impose fines on organisations that lose...
personal data, following the amendment of the Criminal Justice and Immigration Act.
Deputy information commissioner David Smith said the change in law would send a very clear signal that data protection must be a priority.
The powers represent a step up from the ICO's less draconian powers to issue an enforcement notice against organisations in breach of the Data Protection Act
"The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent," he said.
However, Dai Davis, partner at law firm Brooke North, said without sufficient funding for the ICO to take legal action against offenders, the changes would have limited impact.
Others have called for the UK to consider a US-style disclosure law. to give the public confidence that private data was safe.
"A break notification law would complement UK data protection laws and ensure the public is informed when data losses occur so they can take steps to deal with it," said Greg Day, security analyst for security company McAfee,
Davis said a disclosure law would have far greater impact than fines against larger companies who are very wary of adverse publicity.
He said given that the bulk of the [Data Protection] Act is still not criminalised, the logical step would be to provide for mandatory disclosure when information security breaches have been made, rather than prosecutions that are likely to be rare and under-funded.
Vinod Bange, associate at law firm Eversheds, said even in the absence of a data breach notification law, UK organisations should notify individuals if their personal data has been lost.
Individuals can still take a civil action against organisations for damage and distress caused by breaches of personal information, he said.
"It seems inevitable that if organisations want to minimise the damage and distress to individuals caused by losing or disclosing personal information, those affected have got to be told," he said.
UK companies with US connections already had little choice but to disclose any data breaches because they were unlikely to get away with treating customers or staff in one jurisdiction differently from those in another.
"The US laws are aimed at protecting the individual, so if a UK company were to lose information about someone who lives in California, it could be liable to the data protection laws of that state," said Day.
As awareness and concern over data breaches increases and the trend towards disclosure laws grows, information security will soon become a necessity for every organisation responsible for private data.
Recent UK information security breaches
HSBC admits losing a disk containing details of 370,000 UK insurance customers >>