Will the threat of jail improve data protection?
By Stephen Pritchard,
Next month, UK data protection laws will be strengthened – again.
From 6 April, fail to observe the Data Protection Act, and your company faces a £500,000 fine. Until now, the maximum fine the Information Commissioner’s Office (ICO) could issue was £5,000; arguably not even a slap on the wrist for those who fail to protect data.
In many ways, the move should be welcomed. The ICO had only limited powers to go after organisations that put personal data at risk.
In practice, the Information Commissioner has had to rely on naming and shaming those behind data breaches, or leave it to other agencies, such as the Financial Services Authority, to wield a bigger stick.
The FSA has handed out some pretty hefty fines already, most notably to HSBC, which was forced to pay more than £3m for multiple data breaches.
The ICO will not be able to go that far next month, although the organisation is pressing for still tougher penalties, including possible jail terms.
In October, the Ministry of Justice issued a consultation, which proposed a custodial sentence of up to two years, for those who knowingly or recklessly breach Section 55 of the Data Protection Act.
Whilst the Government considers the results of the consultation, the ICO will have to rely on financial penalties alone. And the effectiveness of the ICO’s sanctions will depend largely on how it chooses to use its new powers.
As Richard Turner, chief executive of data security company Clearswift, points out, most data breaches that are not deliberate are preventable. Better user education about the Act, as well as better data loss prevention technology, will help companies comply.
Businesses, though, might not invest in those measures if the threat of heavy fines, or even jail time for their executives, hangs over them. So for the Act to be enforced effectively, the ICO will need to distinguish between genuinely accidental data losses, those that are caused or aided by negligence, and those that are deliberate.
The largest fines will need to be reserved for those data losses where someone acted with intent.
But if the goal is to improve data security overall – rather than simply punish offenders – then the ICO could do worse than to follow the FSA’s model and reduce its penalties for organisations that co-operate with its investigations. That way, companies have an incentive to fix the problem once and for all.
The ICO has issued guidance on how it will use the new penalties here.
Stephen Pritchard is a contributing editor at IT PRO.
Comments? Questions? You can email him here.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Data Loss Prevention Analysis & Insight
Do British police get cyber security?
Davey Winder listens to telephone conversations between the FBI and the Metropolitan Police, courtesy of Anonymous, and isn't impressed.
- Who to trust after the VeriSign hack?
- Striving to solve the security skills crisis
- Would you employ a hacker or malware writer?
- Erase and rewind: the EU and privacy
- My email address is [CENSORED]
- Are the cookie laws crumbling already?
- How the Data Protection Act's death will punish the UK economy
- Calculating the ROI of social networks is not rocket science
- The war on botnets
advertisement
Most popular
- Ubuntu vs. Windows 7 on the business desktop
- York researchers heat storage to speed up data
- OneNote hits Google?s Android
- O2 trials Olympic-scale remote working
- Who to trust after the VeriSign hack?
- Lenovo beats expectations again
- BlackBerry Bold 9790 review
- Will someone rid me of these troublesome Macs?
- Google to promise fairness after Motorola buy
- Welcome to the stay-at-home Olympics
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
