ICO will not compel companies to report data losses

UK firms have an obligation to store personal information securely, but not to report losses

The Information Commissioner's Office (ICO) has no plans to force companies to report data losses, despite the Irish data protection watchdog lobbying its government for such measures.

Organisations in the UK are not obliged to tell the ICO about any data losses, although the information watchdog has stressed that expects erring firms to do so, and considers it best practice.

The Irish Data Protection Commissioner believes that any organisation that loses data on more than 100 individuals should have to report the incident, but a statement by the ICO has confirmed that it has no intention of calling for a similar system.

"Under the Data Protection Act organisations have an obligation to ensure that personal information is held securely. We encourage organisations to advise us as soon as they are aware of a data breach which puts their customers at risk," the ICO said.

"Changes to the law are ultimately a matter for the government. Should legislation be proposed to compel UK organisations to notify people when a data breach occurs, it must be properly considered before it is introduced in the UK. "

However, Deputy Information Commissioner David Smith said at Infosec in April that companies could soon be forced to report all serious data breaches to the ICO after an upcoming review of a European Union directive on this issue.

"Within 18 months it is likely that ISPs and telecoms companies will have to abide by this rule, and before too long this same law will apply more generally, " he said.

"However, it would still only be for serious breaches of data, and firms would need to understand what represented a serious breach to ensure that the ICO, and the individuals affected, were not bombarded with irrelevant notifications on all losses."