Experts urge criminal charges for data breaches
A former deputy information commissioner has called for failure to comply with data-protection principles to be made a criminal offence.
Francis Aldhouse, who is now an information law and policy consultant for legal firm Bird & Bird, said on Thursday that such penalties were necessary to implement a change in the culture surrounding data-protection adherence. He was speaking at a Westminster eForum event on the "policy challenges of information security" in the wake of numerous public- and private-sector data breaches and losses.
Calling for "limited, focused legislative changes", Aldhouse said he favoured a carrot-and-stick approach. The "carrot", he suggested, could be a "safe harbour for organisations guaranteeing by audit" that they have the right data-protection procedures in place, thus becoming exempt from potential penalties should something go wrong. As for the "stick", he said: "I would like to see a criminal penalty for failing to comply with [the principles enshrined in the Data Protection Act] and for this to apply to individuals, as well as organisations".
"The incentivisation of organisations and individuals is the most important [element] in any new law," Aldhouse said, adding that "loss of custom or political criticism" would also play a part in convincing private and public entities to take data protection seriously.
Aldhouse's comments were echoed by Dr Chris Pounder of law firm Pinsent Masons, who said at the forum that some form of data-breach-notification legislation was needed, but not as a separate entity from the Data Protection Act [DPA], so as to avoid the fragmentation of enforcement.
"[The idea] should be brought within the principles of the DPA… and the information commissioner can enforce it," said Pounder. "We need to increase the risk profile… and possibly [introduce] a criminal offence in relation to major data breaches. Then the culture will change."
The concept of data-breach-notification legislation was also backed by Anna Fielder of the National Consumer Council and Carrie Hartnell of Intellect, the body that represents the UK's technology industry. More cautious notes, however, were sounded by Mike Bradford, head of regulatory affairs for the credit-data firm Experian, and Merlin, Earl of Erroll and a member of the House of Lords.
Bradford warned that notification of data breaches had to be weighed against the economic effects of "scaremongering", while Erroll said he was no longer certain that data-breach-notification legislation was a good idea, because it is difficult to clearly define what constitutes a 'breach'. Erroll gave the example of the lost HMRC child-benefit CDs, as it remains unknown whether anyone ever found the discs, let alone used them for any nefarious purposes.
David Smith, the current deputy information commissioner, also spoke at the event. He said increased penalties for breaches could "change things to some extent, but it's the publicity and negative effect to the reputation of [the organisation that is in breach] that matter".