The data protection watchdog has called for criminal action against those who lose individuals’ personal data on unencrypted laptop computers.
Information commissioner Richard Thomas and his deputy, David Smith, revealed to members of the House of Lords they had called on the Ministry of Justice to make it a criminal offence “for those who knowingly and recklessly flout data protection principles” where there are serious consequences.
Smith told the Lords constitution committee that an example might be a doctor leaving a laptop containing personal details of patients in a car. It was “hard to say [this was] anything other than criminal negligence”, he said.
At present, the Information Commissioner’s Office is largely toothless in the face of serious data security breaches. In March, the watchdog issued a warning – largely a slap on the wrist – to 11 banks that dumped customer data in outside rubbish bins.
But the ICO officials told the Lords committee that stronger measures were needed and that “a blatant breach” of data protection laws should attract a criminal penalty.
Committee members pressed the ICO team, with one peer suggesting that GPs sometimes had to carry patients’ data with them and the suggestion that there should be a criminal penalty for loss of a laptop holding such information was “out of proportion”.
Thomas replied that criminal sanctions should be used where a laptop had “a lot of personal information that hasn’t been taken care of and hasn’t been encrypted”. Doctors and others carrying sensitive information on portable devices “should know the basics of encryption”, he told the committee.
The ICO was not seeking to criminalise doctors for a single incident, but where there was “gross negligence”, Thomas said.
HM Revenue and Customs is among the organisations that have recently suffered high profile data security breaches as a result of laptops being lost or stolen. The HMRC laptop containing taxpayer data was encrypted – but other organisations have often failed to encrypt their machines.
Smith also told the Lords that the watchdog body was seeking powers to inspect organisations to check whether they were applying data protection laws. The ICO was “almost unique” in not having powers to check that regulations were being put into practice, he said.
The ICO has previously put the case for inspection powers to the Commons home affairs committee.