Watchdog calls for 'reckless data-breach' offence

The information commissioner is seeking a change to the law and more inspection and enforcement powers following a wave of high-level data breaches

The Information Commissioner's Office has called for amendments to UK data-protection laws, including making "reckless" data breaches an offence.

In a document submitted to government, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.

"The Commissioner is proposing the introduction of a new penalty, limited to breaches that are avoidable, that give rise to a serious data-protection risk and where a criminal state of mind exists," said the document. "[Currently] there is no effective punishment or deterrent available for those who knowingly or recklessly disregard the requirements of data-protection law in a way that causes a significant risk of harm."

Recent data breaches include the loss of 25 million details by HM Revenue & Customs, reported last November, and the more recent loss of a Ministry of Defence laptop containing 3,700 people's bank details, as well as other data on up to 600,000 people, including their names.

The powers of the ICO are limited. For the most part, the ICO cannot impose a penalty for a breach that has occurred. While individuals can be prosecuted for unlawfully obtaining personal data, current sanctions are designed to make an organisation that has suffered a breach liable to a penalty only if it continues to act in a way that contravenes the DPA.

Moreover, government departments are not liable for prosecution under the DPA. Individuals within government can be prosecuted under the law, but only if they act outside their remit by unlawfully obtaining personal data.

The ICO is also seeking greater inspection and enforcement powers. The information commissioner would like to be able to spot-check organisations, stop "seriously unlawful" data-processing immediately, and take enforcement action to prevent breaches of the DPA that haven't occurred, but are likely.

However, legal experts said that major changes to data-protection laws are not likely in the near future. Louise Townsend, a senior associate at Pinsent Masons solicitors, was not convinced that the proposals would lead to radical changes in the law any time soon.

"While we may see some changes, such as the power to audit government departments, changes such as a data-breach notification law or a new offence for gross negligence are unlikely to be imminent," said Townsend. "The government rejected proposals for a data-breach notification law, and the new offence would have to become government policy, and once it was on the agenda would take time to go through [Parliament]."

Nevertheless, said Townsend, the publicity surrounding data protection at the moment is "at least getting the information commissioner's concerns on the table, and getting the issue talked about."