The Information Commissioner's Office may start inspecting organisations to assess the way they deal with personal data, the deputy Information Commissioner said yesterday.
Speaking at a Westminster seminar, David Smith said he would support the prosecution of company directors whose organisations committed data breaches. "There should be board-level accountability," he said.
His comments came a week after a raft of reports criticising the government's handling of personal data. Instances include HMRC's loss of 25 million personal details after two discs were sent through the post.
Smith said the ICO wanted powers to inspect companies and a requirement for companies to assess their own security practices and report the results back to the ICO.
"We intend to introduce self-evaluation," Smith said. "But at the moment we don't have the power to do inspections, so we don't have the power to do self-assessment either. When we will have that power depends on legislation."
The government intends to consult on the issue, so it will take some time before any new powers come into force. "It won't be a matter of months," Smith said.
He added that a lack of accountability was one of the biggest problems at HMRC, which lost the details of 25 million people when it sent two discs through the post to the National Audit Office (NAO) last November.
"The decision to release those discs was taken at a relatively low level," Smith said. "Security was not a management priority."
Smith argued that protecting information was too low a priority in many organisations, particularly in central government. The real driver, he said, would be reputation, because organisations needed their customers' trust to succeed.
"Reputation is absolutely crucial for business, and reputation comes down to trust," Smith said. "If the private sector doesn't get it right, they're out of business. The public sector could learn lessons from that."
A series of reports published last week set out reforms for keeping data secure across government. The issue has attracted attention over the last year after dozens of data breaches and losses in both the public and private sectors.