Watchdog calls for 'reckless data-breach' offence

Watchdog calls for 'reckless data-breach' offence

Summary: The information commissioner is seeking a change to the law and more inspection and enforcement powers following a wave of high-level data breaches

TOPICS: Networking

The Information Commissioner's Office has called for amendments to UK data-protection laws, including making "reckless" data breaches an offence.

In a document submitted to government, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.

"The Commissioner is proposing the introduction of a new penalty, limited to breaches that are avoidable, that give rise to a serious data-protection risk and where a criminal state of mind exists," said the document. "[Currently] there is no effective punishment or deterrent available for those who knowingly or recklessly disregard the requirements of data-protection law in a way that causes a significant risk of harm."

Recent data breaches include the loss of 25 million details by HM Revenue & Customs, reported last November, and the more recent loss of a Ministry of Defence laptop containing 3,700 people's bank details, as well as other data on up to 600,000 people, including their names.

The powers of the ICO are limited. For the most part, the ICO cannot impose a penalty for a breach that has occurred. While individuals can be prosecuted for unlawfully obtaining personal data, current sanctions are designed to make an organisation that has suffered a breach liable to a penalty only if it continues to act in a way that contravenes the DPA.

Sentry Posts Blog

Sentry Posts Blog

Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

Read more

Moreover, government departments are not liable for prosecution under the DPA. Individuals within government can be prosecuted under the law, but only if they act outside their remit by unlawfully obtaining personal data.

The ICO is also seeking greater inspection and enforcement powers. The information commissioner would like to be able to spot-check organisations, stop "seriously unlawful" data-processing immediately, and take enforcement action to prevent breaches of the DPA that haven't occurred, but are likely.

However, legal experts said that major changes to data-protection laws are not likely in the near future. Louise Townsend, a senior associate at Pinsent Masons solicitors, was not convinced that the proposals would lead to radical changes in the law any time soon.

"While we may see some changes, such as the power to audit government departments, changes such as a data-breach notification law or a new offence for gross negligence are unlikely to be imminent," said Townsend. "The government rejected proposals for a data-breach notification law, and the new offence would have to become government policy, and once it was on the agenda would take time to go through [Parliament]."

Nevertheless, said Townsend, the publicity surrounding data protection at the moment is "at least getting the information commissioner's concerns on the table, and getting the issue talked about."

Topic: Networking

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion

    Why Is The Goverment & Its Subsidiary Departments
    Are not accountable For The Misuse Of Data
    Its Already Proved They Are The Worst Offenders
    Lost This Data, Lost That Data, Its About Time They Got the House In Order, AND Be Accountable, & not be Above The Law
    But The Problem Is WHO Makes The Laws