Not many IT professionals will have failed to notice that data protection law is toughening up. And most of the momentum is attributable to HM Revenue & Customs (HMRC).
The loss of the HMRC child benefit data discs in 2007 slammed the issue of data protection into our mass consciousness, opening the floodgates to a relentless torrent of bad news stories about data insecurity and to a process of root-and-branch law reform the likes of which we have never before witnessed in the data handling world.
Look how far we have come in three short years: mandatory rules on encryption, a £500,000 fining power for the Information Commissioner, breach disclosure obligations for government and for financial services companies and compulsory audits of government departments. We are also on the cusp of a pan-European breach disclosure regime for the electronic communications sector - this comes into effect in May 2011 - as well as jail sentences for data thieves. In the financial services sector fines for data problems have topped £3m, with the most recent FSA case, against Zurich Insurance, resulting in a £2.75m fine.
Wow, it's toughened up. But what will data protection law look like in five years time?
The trajectory of law reform is crystal clear. The law will continue to get tougher, with greater prescription of obligations, more expansive transparency rules and more frequent intervention by the regulators. These developments are certain, particularly as the EU Data Protection Directive is going to be amended, with the process starting in January 2011.
To ensure a holistic approach to compliance, the EU and national regulators, like our Information Commissioner, are planning to introduce an "accountability principle" into data protection law. This will require data controllers to put in place a written compliance programme to meet the objectives of the other data protection principles, such as data accuracy and security. The accountability principle will be supplemented by a "privacy by design principle", which will require controllers to identify and minimise the privacy risks at the very beginning of new projects, when they are still on the drawing board. To achieve this, controllers will be required to carry out "privacy impact assessments". They will be required to keep records to prove that they have done all of this, which will be disclosable to the regulators on demand.
The transparency agenda will be furthered by mandatory breach disclosure obligations for all controllers, regardless of the sector in which they operate. They will be required to keep inventories of security incidents and near misses, again for disclosure to the regulators. The regulators will have extensive powers of audit and inspection, allowing them to go anywhere, at any time.
On the sanctions and penalties front, as well as the fining of controllers, there is a good chance that fines will be introduced for directors and for data processors too. I strongly anticipate that before the end of this next five-year cycle we will have arrived at a consensus in the UK that the Information Commissioner's new fining power should be uncapped.
Of course, EU Member States are free to toughen up their own national laws while they await the next version of the Data Protection Directive, as the UK and other countries have been doing in recent times. Who would bet against the UK continuing its own independent cycle of development? The Conservatives have promised a tougher Information Commissioner, the Ministry of Justice is consulting on the amendment of the Data Protection Act and the EU has just sued the UK in the Europe Court of Justice, for weak communications privacy laws. These are huge drivers for further change.
Stewart Room is a partner at Field Fisher Waterhouse LLP. For further information see Stewart's blog at www.stewartroom.com.