The £500,000 fine that the Information Commissioner's Office can levy for data breaches is too low to get companies to protect personal information properly, say industry experts.
Tony Dyhouse, director of the Digital Systems Knowledge Transfer Network (KTN) said 65% of delegates at a recent KTN meeting believed that the £500,000 penalty was inadequate.
Dyhouse was speaking after a meeting in the KTN's series "A fine balance", which deals with digital privacy and security.
"Many lawyers at the meeting said their clients could write off the £500,000 as a cost of business. A small to medium company would probably not even be fined as heavily because of the need for proportionality," he said. At that level, the fine was too low to be a disincentive against poor data security for the big companies that are the main collectors of personal data.
Dyhouse said he also intended to approach legislators to change section 13 of the Data Protection Act. The section deals with compensation in the event of damage or distress resulting from a data breach. In practice these are restricted to financial damage, said Dyhouse.
This meant, in practice, it excluded compensation for reputational damage or worry over losses and costs of repairing breach results, such as time and effort to correct a damaged bank record.
"This is contrary to European legislation and the Information Commisioner's Office guidelines," he said.
If the changes go through, citizens who suffer non-financial damage as a result of a data breach will be able to claim compensation from the organisation that leaked the information.
Dyhouse said the KTN would follow up a suggestion that companies modify their rules for collecting data online as part of a transaction. The idea is to prevent both sides from losing the transaction because the consumer declines to provide personal information that is non-essential to the transaction, such as a birth date to buy a CD.
Dyhouse said this would improve online transaction completion rates and reduce consumer frustration.
Dyhouse said there was a growing concern about the quality of data companies had aleady collected. Much of it was old and its usefulness was decreasing as the volume of data rose. There was even a suggestion that companies be forced to delete historical data once they had analysed it, he said.
The main benefits of this were that companies could save on data storage and management costs, that data would be more current, and that the risk of personal data breaches was lower.
Data Protection Act Section 13
The Data Protection Act section 13 provides for individuals to claim compensation for breaches of their data. The act states that:
(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if:
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes.
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.