In the past twelve months, public and private sector data losses have reached embarrassing levels, writes Grant Campbell, partner at Brodies LLP. Neither relentless media attention nor political and regulatory criticisms have been enough in themselves to force a change of attitude to data security. In 2009 things look set to...
Traditionally cast in the role of quasi-data security officers, many IT professionals will be all too familiar with the frustrations of trying to establish an organisational culture of keeping data safe. The recent catalogue of problems, which has seen data lost or compromised everywhere from trains to skips, clearly shows there is still some way to go in changing the way that we work with personal data.
2009 will see changes to the regulatory regime which, it is hoped, will force organisations to take a long, hard look at what they are doing. But what is the problem with the regime as it stands and how will these changes make a difference?
Each of us has a right in terms of data protection legislation to claim compensation for actual loss or damage, financial or physical (but not for worry) which we have suffered, if we can prove the loss stemmed from a particular organisation's breach of data protection legislation. However, it can be very difficult for the individual who has suffered, for instance, financial loss through identity fraud, to prove that it arose from the security failings of a particular organisation. In addition, even where compensation might, in theory, be available in a given case, access to the courts is expensive and time consuming and, ultimately, for most people, not a realistic option in practice.
All of this means the threat of individual compensation claims is not high enough to provide a strong incentive to comply conscientiously with legislative requirements.
Current regulatory sanctions
As the independent regulatory body charged with policing and enforcing data protection legislation, the Information Commissioner's Office has had relatively limited powers to detect and punish non-compliance so far. The Information commissioner can investigate any apparent material breach of legislation that comes to his attention, and is ultimately entitled to serve an enforcement notice (which carries criminal penalties for non-compliance) on any organisation which fails to co-operate with him properly.
However, aside from inflicting reputational damage by publicising breaches, the information commissioner lacks the crucial weapon in any regulator's armoury - the power to make compliance failures costly, in particular by imposing financial penalties. In the financial services sector the Financial Services Authority has, to some extent, been able to fill this gap. But for government and the rest of the private sector, until now there has been no direct prospect of a fine.
What is in store in 2009?
In 2009 a new power will come into force for the information commissioner to impose a financial penalty for a serious, deliberate or reckless breach of any of the data protection principles, including the one that deals with data security. Further details of this power are awaited, in explanatory guidance from the information commissioner and subordinate legislation setting penalty levels. If handled correctly, this power could be pivotal in the creation of a new regulatory climate. If the new power is going to be taken seriously, the level of fines the information commissioner is entitled to impose will need to be suitably high, perhaps comparable to those available to the Financial Services Authority (FSA) which, in 2007, fined Nationwide £980,000 for data security breaches.
In parallel, the Ministry of Justice consulted over the summer on funding arrangements and greater audit and inspection powers for the Information Commissioner's Office (ICO), with the first round of follow-up legislative amendments expected to be introduced in Parliament shortly.
All of this points to a stronger regulator driving a much tighter regulatory regime. The ICO must use these changes to force the fundamental attitude shift which is now required, if public confidence in data handling is to be restored in the UK.