Data-breach admissions may become mandatory

Banks, other businesses and authorities could soon be forced to confess to data breaches, according to the EU privacy tsar.

European data-protection supervisor Peter Hustinx said there is growing pressure within the European Parliament to create a data-breach notification law as part of a shake-up of privacy law.

Amendments to the EU E-Privacy Directive are currently being debated by the EU parliament and are expected to be passed in six months' time.

These amendments would force ISPs and telecoms companies to notify customers and authorities when they lose their customers' personal data.

And speaking at the RSA Conference in London, Hustinx said there are increasing demands from the European Parliament for the amendments to require all companies and public-sector organisations with an online presence to also come under the law.

Hustinx said: "I would be very much in favour of making data-security breach an element of general data-protection arrangements.

"It doesn't make sense to exclude an internet banking site, a hospital with a website or other businesses collecting sensitive data online, and just to impose it only on the telcos and the ISP."

Hustinx went on to say that the powers of the UK Information Commissioner's Office (ICO) were lagging behind equivalents in the rest of Europe and welcomed consultations to give the ICO more powers.

He said: "Inspection and sanction powers are rather weak in the UK compared to other countries in the EU.

"But [information commissioner] Richard Thomas being given more powers is looking more probable."

However, Hustinx added: "There is no reason to presume that the UK is worse than other countries."