Latest U.K. data security laws get tough on fines, PETs and policies

Data security laws may be changing rapidly due to high-profile breaches like the November 2007 data loss at HMRC, but legislative developments had actually begun much earlier than last year. Stewart Room explores previous developments and explains how the regulations have even sharper teeth these days.

Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
U.K. data security laws are being comprehensively overhauled at an incredible speed. Although much of this activity is consequent upon the loss of Her Majesty's Revenue and Customs' (HMRC) data disks in November 2007, the current agenda of law reform for data security commenced in 2004, when the Financial Services Authority (FSA) first started to highlight the importance of data security within the regime established under the Financial Services and Markets Act 2000. Indeed, a consideration of FSA press releases promoting recent financial penalty notices or security breaches will reveal the following standard text:

"Since 2004, the FSA has issued a number of speeches and publications to raise awareness within the financial services sector of the need for firms to take action to combat the risks of financial crime."

It is worth bearing in mind that the FSA's position on data security is an example of "soft law." Soft law, which encompasses guidance issued by regulators, is just one component of law reform. The other components are "hard law," which is the black-letter of statutes and instruments like electronic commerce (EC) directives, and "case law," the decisions of the courts. Regulators develop soft law in order to add detail to, or to progress or develop hard law. Thus, law reform for data security is being driven forward in three different ways, which partly goes to explain why the law has moved so fast.

The activities of the Information Commissioner's Office (ICO) -- U.K.'s independent regulator for data protection established under the Data Protection Act -- stand as examples of soft law, and it would be fair to say that since HMRC's data loss, the Commissioner's office has been publishing guidance at an unprecedented rate. Their first forays into data security, however, were in April 2006, when the office issued guidance on the use of "privacy enhancing technologies" (PETs) by data controllers.

Privacy enhancing technologies
The PETs agenda is a major component of law reform and has been adopted by the FSA and the government. PETs have been described as technology that helps to protect privacy or which facilitates an organisation's compliance with the principles of data protection.

The European Commission has also embraced the use of PETs, as is evidenced by an important Communication to the European Parliament and Council in May 2007. Therefore, organisations are strongly encouraged to incorporate PETs within the design of their information security management systems, an outcome that is also promoted by ISO 27001/2, an international code of practice for information security management.

Further evidence of the PETs agenda within regulation can be found within formal amendments to the Commissioner's enforcement strategy. His November 2007 amendment "Our Approach to Encryption," for example, has been used to support high-profile enforcement action ordering laptop encryption. The FSA's April 2008 strategy on data security further reinforces the PETs agenda, and it is notable that its February 2007 fine of the Nationwide Building Society Corp. (£980,000) arose from an absence of encryption.

ICO and the Criminal Justice and Immigration Act
The Information Commissioner's Office has also been highly successful in promoting black letter amendments to the law. For example, in May 2006, the Office published a report to Parliament calling for the introduction of prison sentences for people and organisations convicted of "data theft." That report, "What price privacy?," led directly to the Criminal Justice and Immigration Act 2008, which amended the Data Protection Act to enable the introduction of prison sentences.

Although the "What price privacy?" agenda stands as an obvious testament to the Commissioner's success in the field of law reform for data security, it is in the field of financial penalties where the office has made the greatest impression, since financial penalties are likely to be issued more frequently and with greater overall effect than the handing down of prison sentences for data theft.

To explain, in December 2007, the ICO took advantage of the heightened interest in data security generated by HMRC to call for the introduction of financial penalties for organisations that breach specified data protection principles (see the Commissioner's report titled "The Case for Amending the Data Protection Act 1998"). The data protection principles include the security principle, which requires data controllers to take "appropriate technical and organisational measures" to keep data safe.

The Criminal Justice and Immigration Act has introduced a power for the Commissioner's Office to fine controllers suffering security breaches, and the first fines are likely to be issued during the coming 12 months. Regarding the likely level of punishments, we know that the FSA fined Norwich Union £1.26 million in December 2007, and there is no reason to think that this represents the uppermost regions of penalties.

Data breach notification legislation
Another area of law reform is breach notification. Although it is clear that the Data Protection Act does not contain an express breach-notification rule, there are measures within the act that are indicative of the existence of such an obligation. For example, the Act contains a series of transparency safeguards, such as the notification regime and the subject access regime, which can encompass many aspects of breach notification philosophies in individual cases.

Furthermore, when the DPA is read through the lens of the Human Rights Act (which incorporates the right to privacy into our domestic law), the argument for the existence of a breach-notification obligation seems to be compelling. Also in March 2008, the Information Commissioner's Office published guidance on breach notification, which shows that it expects data controllers to report serious incidents to his office.

The FSA has also warned regulated firms that it expects serious incidents to be reported, and the government has adopted breach notification as a consequence of the Hannigan Review and the O'Donnell Report (these reports form part of the U.K. Government's "Data Handling Review," which was commenced immediately after the loss of the HMRC data disks, in order to improve security across central government). Likewise, the EU is contemplating the introduction of a specific breach-notification obligation into the data security framework for the electronic communications sector. In November 2007, the European Commission proposed the introduction of reporting rules in a new directive, and this proposal received widespread support during a debate within the European Parliament at the beginning of September 2008.

The new strength of data security laws
The developments referenced here represent the tip of the iceberg, but it is hoped that they encourage organisations to take data security laws more seriously. The law is not toothless, as many high-profile organisations can now testify to, and the business imperative to ensure tight security is now stronger than ever.

About the author:
Stewart Room, Barrister and Solicitor, is a partner in the Technology Law Group at Field Fisher Waterhouse LLP. He is named as one of the UK's leading data protection lawyers in legal directory Chambers UK and in October 2008 he was awarded the prestigious prize of "Legal Innovator of the Year" by the Financial Times, for his work with major IT companies. He is the president of the National Association of Data Protection Officers and the author of Data Protection and Compliance in Context (December 2006), Email: Law Practice and Compliance (to be published in December 2008) and Data Security Law and Practice (to be published in July 2009). He is a visiting lecturer on information law at various universities.

Read more on Regulatory compliance and standard requirements