Mandatory data breach notification on the horizon, says ICO

The ICO plans to use its new powers to enforce data protection in the UK, says David Smith, deputy information commissioner.

The Information Commissioners Office (ICO) plans to use its new powers to enforce data protection in the UK, says David Smith, deputy information commissioner.

The ICO is no longer a toothless watchdog and will be making it tougher for the minority of organisations that still do not tow the line on data protection, he told the opening session of Infosecurity Europe 2010 in London.

Despite all the attention on the importance of data protection in the wake of high-profile data breaches by HMRC, the Home Office and the MoD, organisations are still losing personal information stored on unencrypted computers and data storage devices, he said.

In the short term, Smith said the new powers to impose fines of up to £500,000 for serious breaches of personal information will undoubtedly help focus organisations on getting data protection right.

The negative publicity associated with the fines will also help make organisations take data protection more seriously, he said.

There are also a number of changes on the horizon to enable tougher action such as mandatory breach notification legislation.

Although voluntary at present, within 18 months the UK will have to introduce breach notification legislation for the telecoms sector in terms of a European directive, and it is likely there will be a more general law before too long, he said.

The prime minister has granted us permission to conduct spot checks in all government departments, but we can ask to extend this power to other public bodies and even private sector organisations if we can show the need, he said.

Punishments will also increase, said Smith, with custodial sentences under consideration by government for people who con information out of people and organisations or those who sell information on the black market, which are already criminal offences.

The government has already completed its public consultation on the matter and is currently considering its response, he said.

A review of the European data protection directive is due in coming months, and this too will bring changes to legal and regulatory requirements, said Smith.

The UK is also facing the prospect of a change in government, but whatever party or parties are in power, there is no doubt that data protection will feature strongly, he said.

Despite the increased powers and resources to audit, investigate and take action against organisations, Smith said the ICO's primary focus would be on helping organisations get it right.

Research has shown that there is a relative lack of information and resources for small and medium-sized businesses, he said.

Read more on IT legislation and regulation