Sunday, 13 January 2008

MPs lobby to criminalise data loss

 

Data leakFrom: vnunet.com – 03/01/08

“MPs on the Justice Select Committee have called for new laws to protect the integrity of personal data.

The move was prompted by critical government data losses over the past few months, such as the loss of computer disks at HM Revenue & Customs.

The committee called for a breach law that would make it a legal obligation for companies to notify customers if their data has been accessed and to create a system of fines for repeat offenders.

"The scale of the data loss by government bodies and contractors is truly shocking, but the evidence we have had points to further hidden problems," said committee chairman Alan Beith.

It is frankly incredible, for example, that the measures put in place at HM Revenue & Customs were not already standard procedure.

The Committee also called for the Information Commissioner to have powers to make spot checks on government departments to ensure that correct practice is being followed.

These latest proposals to punish reckless data leakage with large fines and/or prison sentences will go some way in encouraging organisations from the top down to be compliant or at least be able to prove they took the necessary steps to protect their data.”

This has obviously been a necessary step for quite some time now; it’s just a shame that it’s taken so long for us to get merely this far.

2 comments:

  1. It's definite that something like this needs to be done.

    However, as ever, I do have a concern, and that is who things will be enforced against. Everyone makes mistakes, including the HMRC worker who sent out some discs. To avoid him being subject to public embarrassment, we don't know who it was.

    But, if prison sentences become an option, I can see the bosses less willing to protect their employees - if someone's going to down for it, let's sacrifice the poor worker who made that mistake...

    ReplyDelete
  2. That's a good point and something that I suspect may prove a sticking point in the passing of such legislation. Ultimately, though,the scope for an employee to be treated as the institution's scapegoat can only be limited or challenged through the careful and well-thought-out drafting of legislation. Perhaps the crime should be made one of strict liability and allow for companies to be held vicariously liable, for instance. After all, that would surely help ensure compliance from the top-down; if directors feel that their necks are on the line, fewer mistakes/data breaches would likely be made.

    ReplyDelete