RSS Alerts

Related Stories

  • A law without force
    After a deluge of data breaches, the UK government is considering ways to provide the public with better shelter, through strengthening data protection law and punishment. Dan Ilett considers the options
  • ISACA backs power increase for Information Commissioner
    ISACA, the not-for-profit organisation that seeks to encourage best practice in the IT security industry, has given the `thumbs up' to plans to significantly increase the powers of the Information Commissioner's Office (ICO) later this year.
  • Government to toughen Data Protection Act
    New sanctions will be added to the UK’s Data Protection Act for serious breaches, the chancellor Alistair Darling told parliament on 17 December.
  • IT strategy @ UK.gov
    The UK government needs to improve its ability to deliver effective IT-based systems at reasonable cost. But the proposed solution could change utterly the relationship between the state and the citizen, reports Ian Grant.
  • Securing the 2012 Olympics
    Physical and IT security plans are well underway for the London Games in 2012, but could reputational damage be the real risk? Stephen Pritchard talks to David Blunkett to determine what the real cyberrisks are, and how to control them

News

ICO asks UK to criminalise severe data breaches

14 November 2007

The UK information commissioner’s office (ICO) has asked the government to make serious breaches of the Data Protection Act a criminal offence, rather than attracting fines as at present.

Under the ICO’s proposals to the Ministry of Justice, the government would introduce a criminal offence for knowingly and recklessly flouting the Data Protection Act 1998. David Smith, assistant commissioner, told the House of Lords’ constitution committee on November 14 that if patient records were left on an unencrypted laptop on the back seat of a car, and these were stolen, “that blatant risk should attract a criminal offence”.

Smith added that it is “an anomaly” that only financial services organisations can suffer serious consequences for such breaches, such as the £980 000 fine levied on Nationwide building society earlier this year by the Financial Service Authority.

The ICO is also asking for the right to inspect personal data processing operations, which it can currently carry out only with consent, although Smith said “we would not inspect thousands and thousands of organisations” if it wins such a right.

The government is already introducing criminal charges for those who trade personal data, in clause 75 of the criminal justice and immigration bill now before parliament. Richard Thomas, the information commissioner, told the committee: “We are delighted they have accepted our recommendation to increase the penalty.”

In a 2006 report, What Price Privacy?, the ICO highlighted how financial institutions, lawyers and journalists illegally obtain personal data through private investigators and published a tariff of charges for different kinds of information (article).

Thomas also told the committee of his concerns on aspects of the government’s identity card scheme. “We continue to question why so much transaction data will be collected,” he said, referring to the plan to retain in a central database an ‘audit trail’ of every time individuals use cards or records are accessed, adding that he was meeting with the Identity and Passport Service later on 14 November to discuss secondary legislation to the Identity Cards Act.

Thomas also questioned the government’s planned database of all children, rather than just those known to be at risk, and also the existing criminal record checks on those seeking to work with children, which reveal any offence, however trivial and long-ago.

But he added that parts of government are increasingly aware of threats to personal data, with the Department of Health supporting the ICO proposal for increased penalties, as this would help secure its centrally-held health records for patients in England under the Connection for Health scheme.

Last month Jack Straw, the justice minister, asked Thomas to review public and private-sector data sharing with Mark Walport, director of the Wellcome Trust (article). Thomas told the committee that they will report in mid-2008, with a consultation paper to be released shortly.

“We both agree, information sharing is no panacea,” he said. Although it has useful and reasonable applications, information sharing should not be carried out just for its own sake: “We will be trying to identify where the boundary lines should be drawn,” he said.

When asked whether the public was concerned about information sharing, Thomas pointed to research released on 14 November showing that 94% of British adults surveyed are concerned that organisations are selling their personal data without permission, and that nine in 10 believe organisations are failing to keep such data secure.

The research, which was prepared by SMSR and surveyed 1000 people, showed a growing awareness of data protection, with 90% aware of the right to see personal data, compared with 74% three years ago.

Although the ICO is also requesting increased powers to be consulted over new data-sharing schemes, Thomas said the ICO had not always been vigilant, when questioned about the UK police DNA database.

As the result of a 2003 law, this includes the genetic code of anyone arrested, regardless of whether they are found guilty. Thomas, who was in the job when the law went through parliament, said the ICO questioned, and continues to question, the need for innocent citizens’ DNA to be retained, but added: “Perhaps we missed a trick in not shouting loud enough.”

 

This article is featured in:
Compliance and Policy Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water