All the latest UK technology news, reviews and analysis
|
|
|
13 Jan 2010
The Information Commissioner's Office will be able to fine companies found guilty of breaching the Data Protection Act up to £500,000 from April 2010.
The maximum amount has just been approved by the Secretary of State for Justice, after initial provisions for the ICO to impose fines on organisations were passed in May 2008 with the introduction of the Criminal Justice and Immigration Act.
Following a public consultation on whether fines would provide the ICO with the appropriate tool to clamp down on those who wilfully ignore data protection principles, the government has proposed to set a maximum penalty of £500,000 that will come into force on 6 April.
"As citizens, we are increasingly asked to complete transactions online, with the state, banks and other organisations using huge databases to store our personal details. When things go wrong, a security breach can cause real harm and great distress to thousands of people," said Information Commissioner Christopher Graham.
"I remain committed to working with voluntary, public and private bodies to help them stick to the rules and comply with the Act. But I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
Justice minister Michael Wills explained that the penalties are designed to act as a deterrent, and to promote compliance with the Data Protection Act (DPA).
"Most data controllers do comply with the principles but, since misuse of even small amounts of personal data can have very serious consequences, it is vital that we do all we can to prevent non-compliance," he said.
The ICO explained that it will decide on the appropriate fine by calculating the seriousness of the data breach, the likely damage, the distress caused to individuals, whether the breach was deliberate or negligent, and what reasonable steps the organisation has taken to prevent breaches.
Factors that will also be taken into account include an organisation's financial resources, sector, size and the severity of the data breach, in order to ensure that an organisation does not go out of business as a result of the fine.
The ICO gave the example of a marketing company collecting personal data stating that it is for the purpose of a competition, and then knowingly disclosing the data for commercial purposes without informing the individuals concerned.
Simon McDougall, head of privacy and data protection at consultancy Deloitte, suggested that the tone of the new policy would be set with the first few fines.
"While the largest fines may only be dealt out to larger firms for serious breaches of the Data Protection Act, all organisations are now faced with a very real threat of significant financial penalties over and above any existing operational clean up costs and reputational damage should they suffer a breach, " he said.
However, Ewen Anderson, managing director of consultancy Centralis, argued that penalising organisations that breach data protection principles is not necessarily the right way forward.
"Private sector organisations already face loss of trust and therefore substantial loss of business if data protection breaches are exposed," he said.
"The new legislation opens up the possibility of all organisations facing financial loss as well as damaged reputations, but there is always an argument that making the penalties too severe encourages organisations to conceal rather than be open and learn from such events.
"Only by sharing best practice and experience can organisations ensure that they have cost-effective ways to ensure that data remains safely within the centralised systems and storage where it belongs."
Chris McIntosh, chief executive of hardware encryption firm Stonewood, added that the news shows that the government is taking data loss seriously, but that more needs to be done.
"In line with stronger punishments for breaches of the DPA, there must also be a stronger message from the government. Businesses have so much bureaucracy and red tape to deal with when it comes to data compliance that it is too confusing to be effective," he argued.
"Government needs to provide simple, straightforward legislation regarding the protection of personal data through encryption."
Latest stories from Privacy
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
The Company: My client based in Sheffield are one...
Binary Phase Shift Keying (BPSK) Modulation Consultant...
Java Games Developer, Online Gaming, London Key words...
Quant Dev, Quantitative Developer, RAD, Hedge Fund, Asset...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Time to take action
It is promising to see the ICO taking positive measures to tackle personal data security breaches. Half a million pounds is a tidy sum; small enough to comprehend, large enough to matter. According to the new statutory guidance as provided by the ICO, this will be delivered for the most serious breaches ? but with one violation enough to justify the penalty. Further, it seems the seriousness of the breach is only one aspect; it does not have to be a deliberate contravention. Reckless disregard through poor corporate governance, failure to carry out a risk assessment, or lack of a compliance regime, are all aggravating factors. The Information Commissioner clearly understands IT security, as seen in its references to the likes of encryption and the information security standard, ISO27001; however organisations need to be aware that one size does not fit all. Businesses have the flexibility to select adequate security measures that best match their business needs, and act accordingly. Helpfully, the statutory guidance also states that payment is accepted by BACS transfer or cheque: if you don?t want to be the first, then it?s time to take action.
Posted by: Chris Mayers, chief security architect at Citrix 19 Jan 2010
Fines will have an impact, but won't solve the problem in isolation
Resorting to punitive measures, such as fines, represents a sad day in the history of information security. Alas, the repeated examples of lax corporate and public sector security awareness and compliance have made it an unfortunate necessity. Lax data security processes are not confined to the private sector. TK Maxx, Nationwide Building Society and Cotton Traders are just a few examples of enterprises that have suffered a data loss or theft, but can immediately be matched by failures within the public sector at HM Revenue and Customs, the NHS, the Ministry of Defence, to name just three. Increased regulation and public expectation over the safety of data poses challenges for the IT department and for those responsible for security policy and training. These challenges are amplified by the real threat of a large fine or other legal sanctions. Some businesses, particularly in vertical sectors such as financial services that are already heavily regulated in relation to data protection, often find themselves struggling to stay on top of the latest regulations and requirements. Failure to stay on top of these rapidly evolving legal requirements can quickly develop into malaise, and this is where security problems occur. The sizable fines the Information Commissioner?s Office can now impose will hopefully deter organisations of all types from falling behind on data security. However, if past instances of data loss and theft teach us anything, it is that regulation alone will not solve the problem. Such measures must be aligned with an overall government effort to encourage and build a culture of security best practice and common sense, underpinned by solid technologies that can deliver the level of security required by law and able to cope with emerging threats and the changing ways in which we work.
Posted by: Stuart Hodkinson, UK general manager, Courion 14 Jan 2010
UK Govt needs to get it's own act straight first.
Time that Kingston sued the Government then for £500,000 plus expenses as UK Govt certified encryption used to protect these drives proves to be rubbish. Britain's lack of Government based data security could be a serious threat to the US and others. As already disclosed many times via the media, the Data the Government does have is very loosely guarded. Laptops left in public places, CD discs, DVD Discs, and Pen Drives left in public places. To cap it all they still want to store more of our private and personal data. We read that there is a sell off of our private and confidential files, read story here: http://tinyurl.com/y85asqc With this Governments obsession collecting and storing as much of our private and confidential details it is therefore alarming to discover that UK Govt certified encryption used for protecting these ?Kingston Pen Drives? is pretty well useless story link below. http://tinyurl.com/yevfhqz Signed Carl Barron Chairman of agpcuk http://carl-agpcuk.livejournal.com/
Posted by: Carl Barron 13 Jan 2010