The reason is simple: failure of an organisation to contact
individuals at risk of identity theft following a loss of
unencrypted personal data on a laptop is a likely breach of the
Data Protection Act and recent changes in the law means that such
breaches could attract large fines.
There are eight Principles in the Act. The Seventh Principle
deals with security matters. It states that any organisation
processing personal data "must" establish "a level of security
appropriate to the harm that might result from such unauthorised or
unlawful processing or accidental loss, destruction or damage … and
the nature of the data to be protected". The words "must" and
"might" enshrined in the Principle are very important:– a risk
assessment is the obvious way of identifying the types of
procedures that must be implemented in order to that prevent the
security breaches that might occur.
The requirement to perform a risk assessment can also extend to
any transfer of personal data to a country outside the European
Economic Area, for example, when an organisation uses a call centre
in India. The Act's Eighth Principle allows an organisation to
assess "an adequate level of protection", prior to transfer, by
considering a number of risk factors. These risk factors include:
"the nature of the personal data" being transferred, "the purposes
for which and period during which the data are intended to be
processed", "the law in force in the country or territory in
question" and "any security measures taken in respect of the data
in that country or territory".
Any competent risk assessment dealing with these considerations
would include an analysis of the potential for the loss of personal
data stored on portable media (e.g. on a flash drive or laptop) and
consideration of consequences if personal data were to be lost.
Such an assessment should thus identify when encryption would be
the appropriate counter-measure to reduce the identified risks. If
this is the case, then failure to undertake a risk assessment or to
use encryption would be a likely breach of the Act's Seventh
Principle, especially in cases where the data loss has been on the
scale of recent events (e.g. the HMRC's missing CDs containing 26
million national insurance and bank account details).
This position is reinforced by a statement on the website of the
Information Commissioner. It states: "There have been a number of
reports recently of laptop computers, containing personal
information which have been stolen from vehicles, dwellings or left
in inappropriate places without being protected adequately. The
Information Commissioner has formed the view that in future, where
such losses occur and where encryption software has not been used
to protect the data, enforcement action will be pursued".
In May this year, the Information Commissioner was given the
ability to serve a "monetary penalty notice" on an organisation.
This power, when it becomes operational, will be exercisable in
circumstances where the Information Commissioner is satisfied that
there has been a serious contravention of any data protection
Principle, and where substantial distress has been caused by a
failure to take reasonable steps to prevent that contravention.
Given the Commissioner's comments, it is clear that the loss of
unencrypted personal data on a laptop would qualify as being a
serious contravention that could become subject to a monetary
penalty notice. This monetary penalty would be in addition to the
right, granted by the Act, that allows individuals who suffer
damage as a result of such a security breach to sue for
compensation for that damage and any related distress.
Note also that if the correct measure to mitigate a security
risk was the encryption of personal data on portable media,
notification of data subjects would be the identifiable consequence
if encryption procedures were not followed. It follows that failure
to process personal data in order to make contact with individuals
to alert them to a data loss could aggravate an existing breach of
the Seventh Principle.
Indeed, failure to make contact also could lead to breaches of
other data protection Principles. For example, the failure to
process the personal data to inform individuals could be deemed to
be unfair or inadequate in the context of the organisation's
declared processing purpose.
In summary, most of the important features of USA-style,
security breach notification law are now embedded into the guiding
Principles of the Data Protection Act. Organisations risk being
fined if they carelessly loose personal data or fail to encrypt
personal data when they should have done. Individuals are protected
because they have simple and free access to the Information
Commissioner, who has powers to investigate any complaint and fine.
Compensation for aggrieved individuals could arise from any
significant security lapse.
In other words, all the features of a security breach
notification law are now found in existing data protection
legislation.
Dr Chris Pounder is a privacy law specialist with Pinsent
Masons, the law firm behind OUT-LAW.COM, and editor of Data
Protection Quarterly. These are the personal views of the author
and do not necessarily represent the views of Pinsent Masons
LLP.
Pinsent Masons is holding workshops on Law, Securty & Data
Handling: Minimising the regulatory risks through good
governance (2-page / 102KB PDF)
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.
