ICO: Make 'reckless' data loss an offence

The Information Commissioner's Office (ICO) has called for amendments to UK data-protection laws, including making "reckless" data breaches an offence.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

In a document submitted to government, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.

The document said: "The Commissioner is proposing the introduction of a new penalty, limited to breaches that are avoidable, that give rise to a serious data-protection risk and where a criminal state of mind exists. [Currently] there is no effective punishment or deterrent available for those who knowingly or recklessly disregard the requirements of data-protection law in a way that causes a significant risk of harm."

Recent data breaches include the loss of 25 million details by HM Revenue & Customs, reported last November, and the more recent loss of a Ministry of Defence laptop containing 3,700 people's bank details, as well as other data on up to 600,000 people.

The powers of the ICO are limited. For the most part, the ICO cannot impose a penalty for a breach that has occurred. While individuals can be prosecuted for unlawfully obtaining personal data, current sanctions are designed to make an organisation that has suffered a breach liable to a penalty only if it continues to act in a way that contravenes the DPA.

Moreover, government departments are not liable for prosecution under the DPA. Individuals within government can be prosecuted under the law, but only if they act outside their remit by unlawfully obtaining personal data.

The ICO is also seeking greater inspection and enforcement powers. The information commissioner would like to be able to spot-check organisations, stop "seriously unlawful" data-processing immediately, and take enforcement action to prevent breaches of the DPA that haven't occurred, but are likely.

However, legal experts said that major changes to data-protection laws are not likely in the near future. Louise Townsend, a senior associate at Pinsent Masons solicitors, was not convinced that the proposals would lead to radical changes in the law any time soon.

Townsend said: "While we may see some changes, such as the power to audit government departments, changes such as a data-breach notification law or a new offence for gross negligence are unlikely to be imminent."

She added: "The government rejected proposals for a data-breach notification law, and the new offence would have to become government policy, and once it was on the agenda would take time to go through [Parliament]."

Nevertheless, said Townsend, the publicity surrounding data protection at the moment is "at least getting the information commissioner's concerns on the table, and getting the issue talked about."

Original article: Watchdog calls for 'reckless data-breach' offence from ZDNet UK