Data losers face jail and fines, says Jack Straw
Organisations that lose data face cash fines, tougher inspections and even jail, if proposals from Justice Secretary Jack Straw to strengthen the Information Commissioner's Office (ICO) come into force.
Large companies that register as data collectors face a price hike to £1000 from a new tiered fee structure, rather then the £35 flat fee they pay today. This would give the ICO more money to enforce data protection legislation, even though some smaller firms might pay nothing.
Straw's proposals come as the Home Office launches a consultation on how best to roll out a registration process for the controversial national identity card that Scotland rejected last week.
They follow the recent disclosure that the government lost dozens of data storage devices, ranging from laptops to mobile phones and USB memory sticks last year, as well as the names and personal details of some 35 million citizens.
The proposals will enable the ICO to:
• fine data controllers for deliberate or reckless loss of data
• raid central government departments and public authorities to check compliance with the Data Protection Act without always requiring prior consent
• say when organisations should notify the ICO of breaches of the data protection principles
• publish a statutory data sharing code of practice to provide practical guidance on sharing personal data.
Data controllers are already at risk of criminal charges. Where data controllers ignore an ICO enforcement notice, "They are committing a criminal offence and the ICO is able to take appropriate action to force compliance with legislation", the government said in its response to the Data Sharing Review.
The review, by Mark Walport and ICO boss Richard Thomas, was published in July. The government commissioned it following the loss last year of the names and bank details of 25 million benefits recipients by the HM Revenue & Customs and more than 200 other data breaches, notably by the military.
Straw said the secure storage and "careful sharing" of personal information has become paramount. "Strong regulation and clear guidance is essential if we are to ensure the effective protection of personal data," he said.
He said the proposed changes would strengthen the ICO's ability to enforce the Data Protection Act and improve the transparency and accountability of organisations dealing with personal information. "This is very important if we are to regain public confidence in the handling and sharing of personal information," he said.
Government's moves to shore up data protection
The government has already taken steps to shore up data protection under its own roof. This follows recommendations published in July by Mark Walport and ICO boss Richard Thomas as part of a review of state data sharing arrangements.
In its response to Walport and Thomas, the government said all government departments had reviewed and improved training on data handling, or are doing so.
HM Revenue & Customs, which last year lost two discs that held the names and bank details of 25 million benefits recipients, is training around 90,000 staff, it said.
"The NHS also launched a training programme on information risk in May, which will be available for more than one million NHS staff," it said.
The Cabinet Office and the National School for Government were developing an e-learning training module for all central and local government departments and government agencies. It would be deployed in autumn, it said.