Feeds

Review of UK data protection: Should fines go OVER HALF A MIL?

It's not like it's taxpayers' money or anything. Oh wait...

Security for virtualized datacentres

The UK government should consider raising the level of fines that the Information Commissioner's Office (ICO) can impose on organisations that breach the Data Protection Act (DPA), an expert has said.

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that a previous increase in the maximum level of fine that could be issued for civil breaches of the DPA had prompted organisations to take the issue of data protection seriously.

She said that as part of its current review of criminal sanctions under the DPA being undertaken by the Ministry of Justice, the government should consider strengthening the civil monetary penalty regime under the Act too.

"In 2010, when the ICO was first handed the power to issue civil monetary penalty of up to £500,000 to organisations that breach the DPA, there was a marked change in businesses' attitude towards data protection," Wynn said. "Businesses began taking more seriously the need to put in place appropriate security against the loss or theft of the personal data they were responsible for, and they also improved the due diligence they conducted on third party processors' handling of the data too."

"However, it still remains the case that for the very biggest companies, a fine of £500,000 would represent a drop in the ocean and a small part of the overall costs those organisations would encounter if they experienced a major data breach," she said. "There would be another step-change in the seriousness with which organisations address data security if they could be fined a more significant sum. It could even act as a driver towards a market shift in the enhancement of cloud providers' security offerings since organisations would have a greater onus on ensuring data security when they are outsourcing processing and storage to a cloud provider."

"Changes to the civil monetary penalty regime are already envisaged under the EU's draft General Data Protection Regulation. A similar approach to the one envisaged under those rules, where the level of penalty organisations could face for a data breach would be calculated on the basis of a percentage of their annual turnover, would act as a major deterrent to non-compliance from the largest companies and drive better data protection practices across industry. This would in turn better prepare organisations for compliance with the new Regulation when it is finally introduced," Wynn added.

Earlier this week justice minister Simon Hughes said that the UK government had begun a review of the sanctions available for breaches of the DPA. He said the review would help it "decide whether to increase the penalties as the law permits".

A spokesman for the Ministry of Justice confirmed to Out-Law.com that the review is concerned with the criminal sanctions regime under the DPA, rather than the penalties available in civil cases.

Section 55 of the Data Protection Act (DPA) states that it is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.

The current penalty for committing a section 55 offence is a maximum £5,000 fine if the case is heard in a magistrates court and an unlimited fine for cases tried in a crown court.

Under the Criminal Justice and Immigration Act (CJIA) the justice secretary has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA, but those powers have yet to be used. In 2008 the Act came into force without those powers being immediately available.

In a speech given at the ICO's Data Protection Practitioner Conference in Manchester on Monday, Hughes said that information commissioner Christopher Graham has argued "eloquently" for the powers under the CJIA to be invoked and confirmed that a review had been started within government on whether to do so.

"Serious misuse of personal data by any sector causes significant distress and damage to ordinary citizens and undermines public trust in public institutions and business which in turn can undermine economic growth," Hughes said.

The justice minister also confirmed that the government would change the law to "prohibit a person from requiring someone else to produce certain records [relevant to those individuals] as a condition of employment, or for providing a service, other than where the relevant record is required by law or where it is justified in the public interest". This is colloquially known as a forced subject access request.

"The powers to ban enforced subject access requests, under the yet-to-be-enforced Section 56 of the DPA, are less relevant than they may be been previously," Wynn said. "This is in part because, in the context of criminal record checks, organisations can follow a process for obtaining relevant information for their checks through the Disclosure & Barring Service and do not need prospective new staff to submit a subject access request to the police which would reveal all the information held about those individuals."

"Additionally, businesses are less likely to require individuals to submit a subject access request with other organisations when seeking to agree a contract with those individuals over the provision of services. In the age of big data, they do not need individuals to carry out subject access requests to find out more about them. It is instead increasingly common for individuals to volunteer information or alternatively allow companies to track their preferences and activity if they are offered access to innovative goods or services in return, or a cheaper or better value product offering," she said.

"Where the Section 56 powers may have an effect is in the claims management industry where companies often require individuals to submit a subject access request with other organisations to uncover evidence they can use in acting on behalf of those individuals in making claims against those organisations," Wynn added.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
DVLA website GOES TITSUP on day paper car tax discs retire
Welcome to GOV.UK - digital by de ... FAULT
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.