Information Commissioner’s Office asks UK to criminalise severe data breaches

The UK Information Commissioner's Office (ICO) has asked the government to make serious breaches of the Data Protection Act a criminal offence, rather than attracting fines as at present.

The UK Information Commissioner's Office (ICO) has asked the government to make serious breaches of the Data Protection Act a criminal offence, rather than attracting fines as at present.

Under the ICO's proposals to the Ministry of Justice, the government would introduce a criminal offence for knowingly and recklessly flouting the Data Protection Act 1998. David Smith, assistant commissioner, told the House of Lords' constitution committee on November 14 that if patient records were left on an unencrypted laptop on the back seat of a car, and these were stolen, "that blatant risk should attract a criminal offence".

Smith added that it is "an anomaly" that only financial services organisations can suffer serious consequences for such breaches, such as the £980,000 fine levied on Nationwide building society earlier this year by the Financial Service Authority.

The ICO is also asking for the right to inspect personal data processing operations, which it can currently carry out only with consent, although Smith said the ICO "would not inspect thousands and thousands of organisations" if it wins such a right.

The government is already introducing criminal charges for those who trade personal data, in clause 75 of the criminal justice and immigration bill now before parliament. Richard Thomas, the information commissioner, told the committee, "We are delighted they have accepted our recommendation to increase the penalty."

In a 2006 report, What Price Privacy?, the ICO highlighted how financial institutions, lawyers and journalists illegally obtain personal data through private investigators and published a tariff of charges for different kinds of information.

Thomas also told the committee of his concerns on aspects of the government's identity card scheme. "We continue to question why so much transaction data will be collected," he said, referring to the plan to retain in a central database an "audit trail" of every time individuals' cards or records are accessed, adding that he was meeting with the Identity and Passport Service on 14 November to discuss secondary legislation to the Identity Cards Act.

Thomas also questioned the government's planned database of all children, rather than just those known to be at risk, and also the existing criminal record checks on those seeking to work with children, which reveal any offence, however trivial and however long ago. But he added that parts of government are increasingly aware of threats to personal data, with the Department of Health supporting the ICO proposal for increased penalties, as this would help secure its centrally-held health records for patients in England under the Connection for Health scheme.

Last month Gordon Brown, the prime minister, asked Thomas to review public and private-sector data sharing with Mark Walport, director of the Wellcome Trust. Thomas told the committee that they will report in mid-2008, with a consultation paper to be released shortly. "We both agree, information sharing is no panacea," he said.

Although it has useful and reasonable applications, information sharing should not be carried out just for its own sake. "We will be trying to identify where the boundary lines should be drawn," he said.

When asked whether the public was concerned about information sharing, Thomas pointed to research released on 14 November showing that 94% of British adults surveyed are concerned that organisations are selling their personal data without permission, and that 90% believe organisations are failing to keep such data secure.

The research, which was prepared by SMSR and surveyed 1000 people, showed a growing awareness of data protection, with 90% aware of the right to see personal data, compared with 74% three years ago.

Although the ICO is also requesting increased powers to be consulted over new data-sharing schemes, Thomas said the ICO had not always been vigilant, when questioned about the UK police DNA database. As the result of a 2003 law, this includes the genetic code of anyone arrested, regardless of whether they are found guilty. Thomas, who was in the job when the law went through parliament, said the ICO questioned, and continues to question, the need for innocent citizens' DNA to be retained, but added, "Perhaps we missed a trick in not shouting loud enough."

This article first appeared on the website of Infosecurity magazine.

Read more on Privacy and data protection