Some privacy campaigners want the UK to pass the kind of data
breach notification law that exists in California and other US
states. Such laws force organisations to make public any personal
data losses.
Backers of the laws say they increase transparency and
accountability and force organisations to take privacy more
seriously. Detractors say they can desensitise the public to the
dangers of lost data.
"Informing people is not an end in itself," says new advice from
the ICO for organisations which accidentally lose personal data.
"Notification should have a clear purpose, whether this is to
enable individuals who may have been affected to take steps to
protect themselves or to allow the appropriate regulatory bodies to
perform their functions, provide advice and deal with
complaints."
"Have you considered the dangers of ‘over notifying’?" says the
advice. "Not every incident will warrant notification and notifying
a whole 2 million strong customer base of an issue affecting only
2,000 customers may well cause disproportionate enquiries and
work."
The ICO's advice is designed to guide organisations in how they
should prepare for and deal with an accidental loss of the personal
data of employees or customers. It says that organisations should
prepare a recovery plan outlining how it will deal with any future
data loss.
"This will often involve input from specialists across the
business such as IT, HR and legal and in some cases contact with
external stakeholders and suppliers," it says. "Where appropriate,
inform the police."
The guidance says that data losses can verge from the relatively
trivial, in which the biggest harmful effect is inconvenience, to
extremely serious, in which highly personal data or information
that could be used to commit identity fraud is lost.
"Perhaps most important is an assessment of potential adverse
consequences for individuals, how serious or substantial these are
and how likely they are to happen," it says.
On the issue of notification the ICO reminds organisations that
though there is no overarching law requiring them to make a breach
public, individual sectors have their own rules, some of which
might order notification.
In deciding whether or not to publicise a breach, the guidance
says that organisations should consider whether it would do the
people whose data has been lost any practical good.
"Can notification help the individual? Bearing in mind the
potential effects of the breach, could individuals act on the
information you provide to mitigate risks, for example by
cancelling a credit card or changing a password?" it says.
Notifying the ICO will not necessarily be enough. "You might
also need to consider notifying third parties such as the
police, insurers, professional bodies, bank or credit card
companies who can assist in reducing the risk of financial loss to
individuals, and trade unions," says the guidance.
The guidance is designed for companies whose data loss is
accidental, but Information Commissioner Richard Thomas has also
addressed the problem of deliberate and malicious use of personal
data.
Two years ago Thomas proposed that those found guilty of
deliberately disclosing or receiving people's personal data without
their consent receive a jail term. The Government has now proposed
that the Criminal Justice and Immigration Bill be altered to permit
a jail term for those convicted of buying or selling personal
data.
Thomas has called on Parliament to ensure that this measure – to
be clause 76 of the Act – is passed in the face of mounting
opposition.
"There have been powerful last-ditch efforts to get clause 76
removed from the Criminal Justice and Immigration Bill," said
Thomas. "There has been widespread support for the government’s
decision to strengthen the law, and if data protection is to be
taken seriously it is vital that the government and other parties
should stand firm against any possible amendments. I am determined
to stop the pernicious illegal market in personal information which
our reports exposed."
