ICO given new powers to fine organisations for data losses

The Information Commissioner's Office (ICO) has been granted new powers to impose fines on organisations that lose personal data, following the amendment of the Criminal Justice and Immigration Act.

The Information Commissioner's Office (ICO) has been granted new powers to impose fines on organisations that lose personal data, following the amendment of the Criminal Justice and Immigration Act.

Deputy information commissioner David Smith said the change in law would send a very clear signal that data protection must be a priority.

The powers represent a step up from the ICO's less draconian powers to issue an enforcement notice against organisations in breach of the Data Protection Act

"The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent," he said.

However, Dai Davis, partner at law firm Brooke North, said without sufficient funding for the ICO to take legal action against offenders, the changes would have limited impact.

Others have called for the UK to consider a US-style disclosure law. to give the public confidence that private data was safe.

"A break notification law would complement UK data protection laws and ensure the public is informed when data losses occur so they can take steps to deal with it," said Greg Day, security analyst for security company McAfee,

Davis said a disclosure law would have far greater impact than fines against larger companies who are very wary of adverse publicity.

He said given that the bulk of the [Data Protection] Act is still not criminalised, the logical step would be to provide for mandatory disclosure when information security breaches have been made, rather than prosecutions that are likely to be rare and under-funded.

Vinod Bange, associate at law firm Eversheds, said even in the absence of a data breach notification law, UK organisations should notify individuals if their personal data has been lost.

Individuals can still take a civil action against organisations for damage and distress caused by breaches of personal information, he said.

"It seems inevitable that if organisations want to minimise the damage and distress to individuals caused by losing or disclosing personal information, those affected have got to be told," he said.

UK companies with US connections already had little choice but to disclose any data breaches because they were unlikely to get away with treating customers or staff in one jurisdiction differently from those in another.

"The US laws are aimed at protecting the individual, so if a UK company were to lose information about someone who lives in California, it could be liable to the data protection laws of that state," said Day.

As awareness and concern over data breaches increases and the trend towards disclosure laws grows, information security will soon become a necessity for every organisation responsible for private data.

Recent UK information security breaches

November 2006

Laptop theft exposes Nationwide Building Society customers to risk of financial crime >>

November 2007

HMRC loses personal details of 25 million child benefit recipients >>

December 2007

Ministry of Justice loses four disks with details of crime victims and witnesses >>

HMRC admits losing the personal details of more than 6,500 people claiming pensions >>

January 2008

MOD loses laptop containing details of up to 600,000 defence personnel >>

NHS admits losing 4,000 medical and personal records on a USB memory stick >>

April 2008

HSBC admits losing a disk containing details of 370,000 UK insurance customers >>

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...