The announcement came in a Ministry of Justice report on the
Information Commissioner's inspection powers and funding
arrangements, one of two reports published by the Ministry
yesterday. (See today's other stories on the reports: Government announces new law for increased data
sharing, OUT-LAW News, 25/11/2008; and ICO to get powers to audit public bodies without
consent, OUT-LAW News, 25/11/2008)
Most states in the US have passed laws that already require
organisations to notify significant data breaches. Europe is
introducing a law that will apply such a requirement to
telecommunications firms; and Peter Hustinx, the European Data
Protection Supervisor, said in April that that law should be
extended to banks, businesses and medical bodies. A House of Lords
committee said in 2007 that "a data security breach notification
law would be among the most important advances that the United
Kingdom could make in promoting personal internet security".
However, the Information Commissioner's Office (ICO) has said
that it does not want such a law in the UK. The Ministry of Justice
said yesterday that it agrees.
"As a matter of good practice any significant data breach should
be brought to the attention of the ICO and that organisation should
work with the ICO to ensure that remedial action is taken," said
the Ministry's report.
It is already mandatory for Government departments to share
details of significant actual or potential losses of personal data
with the ICO. The ICO has also produced guidance for data
controllers on when data breaches should be notified as a matter of
good practice.
"The ICO will take into account the failure of an organisation
to notify any breaches of the data protection principles when
considering enforcement action," said the Ministry's report.
William Malcolm, a data protection specialist with Pinsent
Masons, the law firm behind OUT-LAW.COM, said that a notification
law may have made little practical difference.
A failure to deal responsibly with a data breach could result in
a breach of the Data Protection Act in any case, he said.
"The expectation of the ICO and the Financial Services Authority
in the UK is that organisations will notify if breaches involve
large numbers of individuals or have serious consequences for a
particular individual," said Malcolm. "Most organisations
understand this and do work with regulators, notifying the type of
breaches they know they want to hear about."
"Having a law would risk regulators being inundated with
notifications thus making it more difficult for the regulator to
evaluate when the organisation making the disclosure thinks it's
serious," he said.
"Assessing whether or not to notify a regulator is always a
difficult issue. Organisations need to carefully weigh the pros and
cons," he said. "In our experience it's always better to come clean
rather than face having to own up on the back of a customer
complaint directed to the regulator."
Pinsent Masons and Amberhawk Training are holding an Update
session on 26th January in London where this topic forms part of
the agenda. If you are interested in this event, please
email chris.pounder@amberhawk.com for
a brochure.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
