With data security breaches continuing to hit the headlines, the Information Commissioner has been given increased enforcement powers and has urged CEOs to take responsibility for data protection compliance by their organisations. The latest proposals from the Government underline the fact that responsibility for companies’ compliance now rests at the highest level. The final week of November saw a flurry of important policy developments.
First, the Ministry of Justice (“MoJ”) published its “response to the Data Sharing Review Report”. That report, conducted by Dr Mark Walport of the Wellcome Trust and the Information Commissioner Richard Thomas, was prompted by the series of major data blunders at the end of last year. The Walport Report’s recommendations are relevant to public and private sector organisations and span culture, legal and regulatory changes. The MoJ has endorsed a number of measures to strengthen the data protection regime. The MoJ also published its proposals for action in the light of its recent consultation on the funding and inspection powers of the ICO. The same week, the ICO launched the “Privacy by design” report produced by the Enterprise Privacy Group, which explores the means of designing privacy protection into products.
Impact on the private sector
The two MoJ documents contain wide-ranging proposals for the public and private sectors. For data controllers the key changes, once implemented, will include requirements for
* improved corporate governance arrangements which identify who is accountable for data protection compliance, including annual reports to shareholders;
* improved staff training in good data security practice and
* reduction in the use of personal data in some contexts, e.g. a greater use of authenticating credentials, such ad PIN numbers, to access services.
The recommendations will also lead to:
* new ICO guidance on data sharing and sector specific guidance;
* the introduction of Good Practice Assessments (although for the private sector the prior consent of the organisation will be required), with incentives for data controllers who consent to the Assessments (in the form of immunity from the new fines);
* turnover-related fines for breaches of the Data Protection Act (the provisions are already on the statute book, but the level of fines has still not been set – the Government intends to bring these into force “shortly”);
* replacement of the £35 flat fee with tiered notification fees based on the size of the organisation;
* simplification of the notification process and
* other minor changes to the ICO’s information gathering powers.
It is not clear exactly when the relevant new powers will come into force .
Information security breach notification – the state of play
The MoJ agreed with the conclusion of the Walport Report that there was no need for specific legislation to oblige data controllers to notify the ICO of data breaches. Both took the view that as a matter of good practice under the existing law, any significant breaches should be brought to the ICO’s attention and that, in cases involving substantial damage or distress, an organisation’s failure to “come clean” should be factored into the level of fines imposed under the ICO’s new powers. (It is worth noting that EU legislation to introduce data breach notification requirements is making its way through Brussels, although its future is uncertain as it is tied in with a much broader, and more controversial, package of telecoms regulatory reforms.) According to recent statistics issued by the ICO, the number of data breaches reported to the UK regulator since last December’s HMRC debacle stood at 277 at the end of October – 80 of these in the private sector. 30 of the most serious are under investigation, and formal enforcement action has already been taken against nine data controllers, including five well known consumer brands. The Commissioner acknowledges that the reported breaches are the tip of the iceberg. However, increasing levels of enforcement activity demonstrates that the ICO means business.
This article first appeared in the Q4 edition of Olswang’s Technology Update – see here.