UK data protection law should be court in the Act
Disclosure of data breaches will be mandatory for all UK organisations within a few years, but data privacy experts...
say this will be a good thing only if it is done with the right objectives.
Nearly half of UK organisations polled believe UK data protection laws are too relaxed, with 87% saying organisations should be forced to disclose when sensitive data is breached.
From May 2011, internet service providers and telecoms companies will be required by law to disclose data breaches under the current European Union data protection directive.
A revised directive under consideration is likely to expand that requirement to all organisations, and EU member countries will have to revise their laws to reflect that.
In making the new laws, the UK will use the opportunity to build a better regulatory framework for data protection, says Stewart Room, partner at Field Fisher Field Fisher Waterhouse.
Data breach disclosure laws are typically designed to act as a deterrent by punishing data losses, but this should not be the main aim of such legislation, says Room.
The UK should create legislation and a regulatory framework that is aimed at encouraging organisations to identify and eradicate the causes of data breaches, he says.
Punishment doesn't work
Data protection experts agree that where data breach notification laws are purely punitive, organisations tend to bury the evidence and find ways around the law if they can.
"The point of data breach disclosure should be about understanding the problem, not about punishment," says Room.
UK legislators should think carefully about requirements to notify individuals whose data is lost, he says.
In many cases, individuals are not able to do much even if they are notified, says Martin Hoskins, head of data protection at Everything Everywhere, formerly Orange and T-Mobile.
If the individual concerned can take steps to mitigate harm, then notification is important, but otherwise there is very little purpose, he says.
But Room says new legislation on data breach prevention is not only a chance to exert a more positive influence on UK organisations regarding data protection, but it is also an opportunity to build a new regulatory model.
Court date for citizens
As an alternative to data protection being handled by a regulator such as the Information Commissioner's Office (ICO), the UK should look at amending the Data Protection Act (DPA) so that citizens can take their cases to the courts.
"In a court environment, you would have a brainy judge, a brainy lawyer on both sides, and brainy experts in each camp," says Room.
This means there would be more brains focused on the problem instead of just a single regulator and the application of the law could be shaped by relatively few key cases in which the best data protection minds will be applied to real issues that arise.
The involvement of experts is critical because this is far from a trivial area, says James Lyne, senior technologist at security firm Sophos.
"It is one of the most dynamic areas in any aspect of technology, and we are facing a threat that is extremely well-funded, is not bound by laws and moves across international boundaries with horrific speed," he says.
According to Room, the law needs to embrace the rest of the players who also conduct detailed research on data security issues and have something to say.
UK legislation failing
But current UK legislation does not allow the citizen to go to court because it has failed to properly implement the EU data protection directive, he says.
Section 13 of the UK Act, says Room, is out of kilter with the EU directive because Article 23 of the directive calls for compensation for damage suffered by anyone as a consequence of a data breach.
This includes any kind of damage, such as emotional distress or loss of reputation, but compensation under these circumstances is currently blocked by UK law, he says.
Section 13 of the DPA states that compensation for distress is payable only if there is damage, but damage is strictly defined as financial loss, which effectively means the UK citizen is prevented from receiving the benefit outlined in the directive because, in most data breach cases, financial loss is impossible to prove, says Room.
Changing Section 13 of the DPA to get rid of the requirement for financial loss before anyone can get compensation for data breaches should be a top priority, for UK legislators, he says.
But, the UK does not have to wait until the data protection law is redrafted to start moving in a more positive direction.
It will take three to four years for mandatory data breach notification to be included in UK law, but in the meantime, says Room, the ICO should revise its approach because voluntary data breach notification can work only where organisations will not be punished for owning up.
Under a voluntary system, he says, if an organisation discloses data breaches they are behaving better than the law demands and therefore should get something in return from the regulator such as amnesty from punitive action.
Until new legislation can be drafted, the ICO could address this problem by adopting a new approach to encourage more organisations to come forward.
Nearly 33,000 data protection cases were closed by the ICO in the past year according to the annual report, but fewer than 500 organisations reported data breaches to the ICO.
"There are tens of thousands of data breaches happening each year in the UK that the ICO will never hear about," says Room.
If organisations think they can get away with it, he says, they tend to keep quiet and bury the problem, which is why data breach notification must and will become mandatory.
However, most UK organisations lack maturity in data protection and are at a stage where they need to learn how to analyse what is going wrong to prevent it from happening again, says Room.
The ICO's approach to data breach notification, he says, should therefore be aimed at supporting and enabling this process, particularly in the short term.