Feeds

Review of UK data protection: Should fines go OVER HALF A MIL?

It's not like it's taxpayers' money or anything. Oh wait...

Choosing a cloud hosting partner with confidence

The UK government should consider raising the level of fines that the Information Commissioner's Office (ICO) can impose on organisations that breach the Data Protection Act (DPA), an expert has said.

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that a previous increase in the maximum level of fine that could be issued for civil breaches of the DPA had prompted organisations to take the issue of data protection seriously.

She said that as part of its current review of criminal sanctions under the DPA being undertaken by the Ministry of Justice, the government should consider strengthening the civil monetary penalty regime under the Act too.

"In 2010, when the ICO was first handed the power to issue civil monetary penalty of up to £500,000 to organisations that breach the DPA, there was a marked change in businesses' attitude towards data protection," Wynn said. "Businesses began taking more seriously the need to put in place appropriate security against the loss or theft of the personal data they were responsible for, and they also improved the due diligence they conducted on third party processors' handling of the data too."

"However, it still remains the case that for the very biggest companies, a fine of £500,000 would represent a drop in the ocean and a small part of the overall costs those organisations would encounter if they experienced a major data breach," she said. "There would be another step-change in the seriousness with which organisations address data security if they could be fined a more significant sum. It could even act as a driver towards a market shift in the enhancement of cloud providers' security offerings since organisations would have a greater onus on ensuring data security when they are outsourcing processing and storage to a cloud provider."

"Changes to the civil monetary penalty regime are already envisaged under the EU's draft General Data Protection Regulation. A similar approach to the one envisaged under those rules, where the level of penalty organisations could face for a data breach would be calculated on the basis of a percentage of their annual turnover, would act as a major deterrent to non-compliance from the largest companies and drive better data protection practices across industry. This would in turn better prepare organisations for compliance with the new Regulation when it is finally introduced," Wynn added.

Earlier this week justice minister Simon Hughes said that the UK government had begun a review of the sanctions available for breaches of the DPA. He said the review would help it "decide whether to increase the penalties as the law permits".

A spokesman for the Ministry of Justice confirmed to Out-Law.com that the review is concerned with the criminal sanctions regime under the DPA, rather than the penalties available in civil cases.

Section 55 of the Data Protection Act (DPA) states that it is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.

The current penalty for committing a section 55 offence is a maximum £5,000 fine if the case is heard in a magistrates court and an unlimited fine for cases tried in a crown court.

Under the Criminal Justice and Immigration Act (CJIA) the justice secretary has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA, but those powers have yet to be used. In 2008 the Act came into force without those powers being immediately available.

In a speech given at the ICO's Data Protection Practitioner Conference in Manchester on Monday, Hughes said that information commissioner Christopher Graham has argued "eloquently" for the powers under the CJIA to be invoked and confirmed that a review had been started within government on whether to do so.

"Serious misuse of personal data by any sector causes significant distress and damage to ordinary citizens and undermines public trust in public institutions and business which in turn can undermine economic growth," Hughes said.

The justice minister also confirmed that the government would change the law to "prohibit a person from requiring someone else to produce certain records [relevant to those individuals] as a condition of employment, or for providing a service, other than where the relevant record is required by law or where it is justified in the public interest". This is colloquially known as a forced subject access request.

"The powers to ban enforced subject access requests, under the yet-to-be-enforced Section 56 of the DPA, are less relevant than they may be been previously," Wynn said. "This is in part because, in the context of criminal record checks, organisations can follow a process for obtaining relevant information for their checks through the Disclosure & Barring Service and do not need prospective new staff to submit a subject access request to the police which would reveal all the information held about those individuals."

"Additionally, businesses are less likely to require individuals to submit a subject access request with other organisations when seeking to agree a contract with those individuals over the provision of services. In the age of big data, they do not need individuals to carry out subject access requests to find out more about them. It is instead increasingly common for individuals to volunteer information or alternatively allow companies to track their preferences and activity if they are offered access to innovative goods or services in return, or a cheaper or better value product offering," she said.

"Where the Section 56 powers may have an effect is in the claims management industry where companies often require individuals to submit a subject access request with other organisations to uncover evidence they can use in acting on behalf of those individuals in making claims against those organisations," Wynn added.

Copyright © 2014, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Business security measures using SSL

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.