Breaching data protection policy is criminal, says Lord Errol

A key player in shaping IT security policies, Lord Erroll speaks to SearchSecurity UK on his views of data privacy and the recent spate of high-profile data leaks.

The UK Justice Ministry is pondering what can be done to make public and private bodies take greater care of personal data. It is even considering the possibility of introducing new criminal charges for those who suffer security breaches. spoke to Lord Erroll who has played a major role in promoting debate of security issues in Parliament, about the implications for citizens, professionals and organisations. As secretary to the All-Party Parliamentary Group on Communications, member of the House of Lords Science and Technology sub-committee, and a member of the UK advisory board to ISSA, his views are likely to influence the shaping of policy. In the wake of recent high-profile data leakages, are you in favour of criminalising poor security?

Lord Erroll: I think it's a very good idea. There is no point in fining a government department or a very large company, because it really isn't a problem to either of them. In a company you may decide to breach data protection rules because it is only going to cost you £5000 in fines, but £100,000 to implement the provisions. So the notion of fines having any effect is recklessly stupid.

Given the scale of the loss of data at HMRC last year, what are the implications of poor security in Government departments?

Lord Erroll: Government protection of data is important. The big difference between information supplied to private companies and to the Government is that citizens are obliged to provide information to the Government. The Government wants to share data between departments but that has to be done for the right reasons. And as the report being considered by the Justice Ministry points out, there are proposals for data sharing of Government information right across Europe. It means that foreign entities can find out what they want. If you combine that with the European Arrest Warrant, where something could be legal in this country but illegal abroad, then it could have some interesting implications.

What needs to be done?

Lord Erroll: Last August, the House of Lords Science and Technology Committee's Report on Personal Internet Security [] recommended an urgent increase in the powers of the Information Commissioner to investigate and prosecute. That was turned down at the time by the Government. But now the new House of Commons report, currently being considered by the Justice Ministry, is also arguing for stronger powers for the Information Commissioner, and for more resources for him to do his work. I had not realized quite how limited his powers were. For instance, I had not appreciated that civil servants were actually exempt from some of the provisions of the Data Protection Act.

Do you think data sharing between Government departments is a bad thing?

Lord Erroll: We should be sharing data where it helps the citizen, but consent from the individual is hugely important. 90% of people will consent to their data being shared if it is of benefit. The Department of Work and Pensions has a project called Tell Us Once, where individuals can provide their address once and it will be communicated to all other Government departments that need to know, which could be very beneficial. The problem is that for many people in this country, their address must not be made public – battered spouses, those under witness protection, people in sensitive jobs (e.g. researchers using animals), senior government officials, certain military. There are similar concerns about the ContactPoint database which will allow the sharing of information about children across different agencies, and make that information accessible to more than 200,000 civil servants. It sounds sensible to share information, but you have to be very careful.

In the light of that, what are your views on the proposed National Identity Card Scheme?

Lord Erroll: The trouble with the National ID Card is that it doesn't solve any of the problems it was set up for. It won't stop illegal working, or terrorism. To achieve most of the things it wanted, they had to do data sharing. But they hadn't considered how to do that – and it was not included within the £5.5 billion budget. Sometimes we try to control everything that people do in the hope that it will eliminate all fraud and crime – but it's not true. Instead of finding out everything about everyone to control our lives, we should concentrate on being helpful. I would rather they spend some of the £5.5 billion on data sharing where it is useful to the citizen, and putting in measures so that those who need to transact with government can do so securely and properly. There is lots of technology out there that doesn't involve having smart cards, such as using the mobile phone to do proper two-way authentication as well as two-factor. That way, the organisation you're dealing with authenticates itself back to you, which gets rid of the phishing problem.

When do you expect the law to change on data breaches?

Lord Erroll: This is such a major issue that there will be a lot of discussion going behind the scenes in the meantime to establish a position. People are not going to just sit back and wait for a response from the Ministry of Justice. But the report has not taken evidence from a wide variety of people, and that still needs to be done.


Read more on Regulatory compliance and standard requirements