Advertisement
Promo

Security threats Toolkit

Privacy watchdog to get power to fine for data loss

Kablenet.com

Published: 25 Nov 2008 12:55 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Justice secretary Jack Straw has proposed that the Information Commissioner's Office should receive many of the extra powers it has requested.

These powers include the ability to impose fines on data controllers for deliberate or reckless loss of data and to inspect public-sector organisations for compliance with the Data Protection Act (DPA) without prior consent.

The Ministry of Justice and the Information Commissioner's Office (ICO) are discussing the size of the fines but in a response to the Data Sharing Review — carried out by information commissioner Richard Thomas and Wellcome Trust director Mark Walport — published on Monday, the ministry said: "We can see the merits in using an established, existing model and are considering the implementation of one similar to that operated by the Financial Services Authority [FSA]".

The FSA has issued fines in excess of £1m to financial-services companies that have lost personal data. Thomas and Walport asked for such fines to be in place by 8 November and, although this has not happened, the ministry's response said it hopes to introduce the provision shortly.

"The changes we propose today will strengthen the information commissioner's ability to enforce the DPA, and improve the transparency and accountability of organisations dealing with personal information," said Straw.

"This is very important if we are to regain public confidence in the handling and sharing of personal information," he added. The government will bring forward legislation to support the changes when parliamentary time allows.

In a change that will increase costs for many state-sector organisations, the ICO will replace the existing flat fee for data controllers with a series of charges based on organisational size.

The ICO will also be able to serve a warrant on anyone to provide information to determine compliance with the DPA; impose a deadline and location for the provision of information necessary to assess compliance; publish guidance on when organisations should notify it of data breaches; and publish a statutory data-sharing code of practice, to be used in legal cases involving data protection.

Read this

The future of netbooks

What technologies will the netbooks of the future incorporate as standard?

Read more +

"We welcome these new powers, which reflect the importance of data protection, sending a strong message that it must be taken seriously," said an ICO spokesperson. "We would have preferred the power to inspect private-sector organisations' compliance with the DPA without their consent, but we broadly welcome the announcements today."

Straw has provided the ICO with many of the powers Thomas and Walport asked for. In the ministry's response to their review, it said that all departments have started publishing information on data losses in their annual resource accounts, have appointed senior information risk officers and are ensuring that all organisations that help deliver services are aware of their responsibilities.

The ministry agreed that organisations should make it more clear what they intend to do with personal information, and said the ICO is working on a code of practice on fair processing notices. The ministry also supported the recommendation that organisations publish details of how long they keep data and in what ways they share it.

The ministry also gave its support to recommendations on better training for staff, with those handling data given awareness training on appointment and, at least, annually. A recommendation for legislation for a fast-track process to allow data-sharing where there is "a robust case", also gained ministry approval.

Although government departments are now required to report details of significant actual or potential losses of personal data to the ICO, the ministry said it does not intend to introduce wholesale data-breach-notification legislation as exists in the US — something Thomas and Walport had not recommended.

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
21 out of 21 people found this useful


Talkback

Post a comment


Full Talkback thread

3 comments

  1. And on the flip side Andrew Meredith
  2. Who pays the fine and to whom Comuscomp
  3. Technical measures are required to actually know w... lumension

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:








Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Met will not reopen phone hack investi...

The Metropolitan Police will not reopen its investigation into alleged phone hacking by the News of the World. In a press statement delivered outside Scotland Yard on Thursday, Assistant... More

Post a comment

FUD over ChromeOS's security already?

It hasn't taken long for the security vendors to wake to the potential of Google's new ChromeOS. The potential that is, to create FUD – fear uncertainty and doubt. In a release today,... More

Post a comment

Feds take DDoS in their stride

The US Department of Homeland Security has said that a series of distributed denial-of-service attacks began on US government networks on 4 July. However, Amy Kudwa, deputy press... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters