U.K. seeks tougher penalties for data loss
- By Brian Robinson
- Dec 01, 2008
Under proposed new rules and legislation, organizations in the United Kingdom that lose people’s personal data could be hit with big fines, and government bodies could be subject to much stricter oversight of their efforts to protect such data.
The Information Commissioner’s Office (ICO) could fine organizations that display “deliberate or reckless loss of data,” according to proposed rules released Nov. 24. Central government departments and public authorities would also be subject to inspection without prior consent to ensure that they are complying with the Data Protection Act (DCA).
The actions come after several high-profile data losses for the U.K.'s government. In 2007, a database holding the records of 25 million people was copied onto several CDs and then lost in transit between government offices.
Then the records on all 84,000 prisoners in England and Wales were copied onto a USB thumb drive, which was lost.
Jack Straw, secretary of state for justice, said the proposals would strengthen ICO’s ability to enforce the DCA. “This is very important if we are to regain public confidence in the handling and sharing of personal information,” he said.
The rules would also:
* Require any individual to provide information necessary to determine DCA compliance.
* Impose a deadline and location for when and where that information would be produced.
* Publish guidance for when organizations should notify ICO about data breaches.
* Publish a statutory code of practice for sharing data.
In a related development, a bill recently introduced in Parliament would allow U.K. Information Commissioner Richard Thomas to implement some of the proposals by imposing fines on businesses for the "deliberate or reckless loss of data."
The legislation would also permit Thomas' office to spot-check central
government and local authorities for compliance with the DCA. It also calls for the U.K.'s information commissioner's office to publish rules on how and when organizations should notify it of data breaches.
Brian Robinson is a freelance writer based in Portland, Ore.