Experts welcome new Information Commissioner powers

The Information Commissioner has been granted greater powers to enforce the Data Protection Act

Security and legal experts have broadly welcomed the new powers announced yesterday for the UK's data protection watchdog, saying that the move should force organisations to tighten up their data protection policies.

Information Commissioner Richard Thomas had long campaigned for greater powers to fine and investigate those suspected of contravening the Data Protection Act (DPA), and was finally rewarded with proposals put forward yesterday by justice secretary Jack Straw.

The proposals, which form part of the government's response to the Data Sharing Review published earlier this year, include the power to fine organisations for deliberate or reckless loss of data, and to inspect government departments without first requiring written consent.

Paula Barrett, a partner at law firm Eversheds, said, "Other recommendations of note are that organisations outside the public sector should clarify in their corporate governance or equivalent documents where ownership and accountability lies for handling personal information.

"This reflects the steps which are being taken within the public sector following the Data Handling Review where there is a senior information risk officer appointed with responsibility for the organisation's information risk policy, management and reporting."

Barrett also welcomed a revision of the funding structure for the Information Commisioner's Office (ICO), which will replace the flat-rate notification fee with a tiered structure based on the size of the notifying organisation.

"This should provide some of the much needed additional funding which the ICO will require if it is to be able successfully to use these additional powers, and produce the sort of guidance which it will be required to deliver," she said.

Matthew Tyler, director at consultancy Evolution Security Systems, argued that the recent spate of security breaches would not have occurred if the DPA had been followed correctly.

"It is about time that the DPA was taken seriously in the UK, and hopefully with the new powers organisations will look at their general levels of corporate governance and minimum security requirements in line with the new fines," he added.

Paul Davie, founder of database security firm Secerno, welcomed the new powers, saying that they would give "those responsible for allocating budgets the will and the mandate to take sensitive data security seriously".

"This is a real move in the right direction. I hope and expect that this will lead to a raising of the bar in the way personal data is handled in the private and public sectors," he added.

Others were more sceptical about the effectiveness of increasing the ICO's powers.

"This is a step in the right direction, but whether it will be enough to turn around the two main problems that exist in the public sector - culture and inflexible IT - is yet to be seen," said Bill Beverley, security specialist at application delivery firm F5 Networks.

"These new powers go some way to addressing the cultural issue by increasing accountability, but the underlying cause of a lot of data breaches still remains: inflexible IT systems require staff to extract data to manipulate it or share it and produce management information."