Recent data losses have seriously harmed the reputation and effectiveness of a wide-range of UK organisations, in all sectors.
And the privacy watchdog – the Information Commissioner's Office (ICO) - is soon to acquire new powers, and is becoming more active and willing to exploit regulatory authority to the full, in pursuit of explicit policy objectives.
Any data handler that loses sensitive personal data, having failed to take reasonable precautions, faces civil monetary penalties under forthcoming legislation. As well as tougher sanctions from the ICO, companies risk damage to reputation and commercial losses if they fail to secure data.
After high-profile cases of data breaches in the Ministry of Defence (MoD) and the NHS over the past year, the public and private sector must realise that unless they address the security of endpoint devices they’ll lose out.
With more and more data being stored by organisations and transferred by removable media (especially the NHS, which now stores patient records electronically) organisations need to address their security policies to safeguard the data that they hold and avoid penalties.
Data protection re-write
In July, outgoing Information commissioner Richard Thomas called for a rewrite of the EU data protection directive, following the publication of a critical report by the RAND institute, which was commissioned by the ICO last year.
Thomas explicitly criticised the current Directive which underpins the UK’s Data Protection Act, as "showing its age", arguing that "laws must concentrate on the real risks that people face in the modern world".
The report advocates a rewrite of sanctions based on the damage caused by breaches and called for monetary penalties to provide a compensation fund to victims of data loss.
In addition to existing powers to prosecute, the ICO will be able to levy penalties against data controllers, under the new section 55A of the Data Protection Act. The ICO wants sanctions to be proportionate to the harm caused by a data breaches.
New monetary penalties
Under the newly inked section 55A of the Data Protection Act, the Information Commissioner was to be given the power to impose civil monetary penalties on businesses failing to protect sensitive personal information by implementing reasonable measures, if such data is subsequently lost.
Despite Lord Bach’s commitment to empower the data commissioner "as soon as possible", the provision for statutory penalties has not yet been "activated" by the necessary statutory instrument.
FutureSoft understands that the Ministry of Justice was set an internal target, at ministerial level, to finalise and implement the regime of civil monetary penalties before the parliamentary Summer recess "at the latest".
Government good practice is to provide statutory guidance twelve weeks before legislation comes into force. The penalties were due to be published in March, in time for their enforcement by the end of June. However, this date has subsequently passed.