Are organisations required to disclose a security breach to affected persons or regulators? This is a vexed question; on the one hand it is widely accepted that after a security breach is when a person's data is most vulnerable to abuse and misuse and therefore they need the protection of data breach notification laws and rules.
The Data Protection Act, however, does not contain a specific breach-notification obligation. Clearly, the absence of specific data breach notification requirements sends mixed messages; the law is taking a tougher approach to data security, yet it does not require the same steps that are now essentially mandatory in the United States.
There have been tectonic movements in the breach notification landscape. In March 2008, for example, the Information Commissioner's Office -- U.K.'s independent regulator for data protection -- published new guidance on the situations in which a data controller is expected to notify his office of a security breach. Although the legal basis of the guidance is unclear, the fact that the regulatory body desires the reporting of breaches is bound to have great influence over whether incidents are reported.
The ICO takes a quantitative and qualitative approach to data breach notification laws. The commissioner's office states that there should be a presumption to report "where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm." As a "rule of thumb," the ICO also says that a large volume of data is "any collection containing information about 1,000 or more individuals." The government has taken the same line as the commissioner and has implemented a mandatory breach-notification rule for the public sector, a position that is shared by the Financial Services Authority. However, the question remains: Is there a legal obligation to report security breaches?
Although the Data Protection Act is silent on breach reporting, it does contain provisions that are indicative of the existence of an obligation to report. For example, the obligation to register as a data controller contains the requirement to keep registrations up to date, which could be interpreted to extend as far as mandating the notification of security breaches. However, the real answer to the question will not be found in the DPA, but rather in the Human Rights Act 1998.
The HRA has transposed the European Convention on Human Rights into U.K. domestic law. One of these rights is the right to privacy. Due to the way in which the HRA operates, the courts are obliged to have regard to the right to privacy in everything that they do. This means that they are obliged to protect privacy in any cases that come before them where a privacy issue is raised. Consequently, a person who suspects that a data controller has suffered a security breach stands good prospects of obtaining an order for disclosure of the details from the courts, relying upon the right to privacy. The HRA should fill the gaps left by the DPA; after all, it would be an unfortunate situation if the law protected data at all steps leading up to a security breach, but not afterwards, since it is after a breach that data and individuals need the full protection of the law.
Some suggest that data breach notification laws should be clarified by Parliament, although clarification at the EU level seems to be more likely as a first step, due to the enhanced appetite of the European Commission and the European Parliament for mandatory breach notification rules . Following proposals for a new directive published by the commission in November 2007, the European Commission, Council and Parliament are now engaged in a debate about the introduction of a formal breach-reporting obligation for the electronic communications sector.
The U.K. government and the Information Commissioner have displayed a lesser appetite for the introduction of formal rules by legislation. Instead, they prefer the law to develop at regulatory level, with the result that the commissioner's rules on the reporting of breaches to his office are now in the ascendance.
The detail of breach notification laws will remain uncertain in the short to medium term, but in the the longer term, the introduction of formal rules by legislation seems to be very likely. Pending the introduction of legislation, data controllers should remain alert to further updating of the law, making necessary adjustments to their security policies as appropriate.
About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the U.K.'s leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.