The Data Protection Act, ten years on
As the UK’s main data security law turns ten, IT vendors and lawyers question if it’s still fit for purpose in today’s increasingly networked world.
The Data Protection Act (DPA) 1998 is ten years old today. Originally created to safeguard our personal information, some have questioned whether it is still fit for purpose.
The question is particularly pertinent, coming only a day after the The Office of the Information Commissioner (ICO) launched a scathing attack on government database expansion plans, following a series of high profile UK public and private sector data losses and rising online ID theft.
Jamie Cowper, marketing director (EMEA) at data protection specialist PGP Corporation, said it was difficult not to break data security laws in a world of electronic information that has changed almost completely since the act was enacted.
"The sheer proliferation of data within both public and private sector organisations in terms of stored records and transactions is mind-boggling," Cowper said. "As a result, I'd be surprised if nearly all companies aren't in some way contravening the act as it currently stands, whether they realise it or not."
He added: "The increased reporting of data loss incidents from missing CDs to hacked databases has simply shown how lax many organisations have become in following the guidelines laid out by the Act. If the DPA is to be of use in reducing such incidents, it must be positioned as a visible deterrent with punitive powers."
Cowper, like many others, said the DPA was a good step in the right direction, and has definitely done a lot to raise awareness of how consumers' personal information is used and sometimes abused by organisations. "However, it has perhaps been less effective in penalising those companies that have mishandled data, with, for instance, permission for inspections needed before any action can be taken," he said.
Dai Davis, partner at law firm Brooke North agreed the DPA was not fit for purpose. But he said the recent addition of criminal penalties for failing to comply with an ICO enforcement notice - such as those issued to Her Majesty's Revenue and Customs (HMRC) and the Ministry of Defence (MoD) yesterday - was a step in the right direction towards giving the law some teeth.
"The use of data and its value is manifestly greater than it was ten years ago and will continue to increase in importance over the next ten years," he said. "I think what we're seeing, with the Information Commissioner more willing to use his enforcement powers now there's some clout behind them, is good."
But Davis added: "We also need to give the authorities charged with investigating the crimes of data abuse, like the former Hi-Tech Crime Unit, much more funding."
The ICO told IT PRO: "The Data Protection Act has a crucial role in ensuring our personal information is effectively protected. It requires organisations to ensure that our personal information is stored and processed securely, that it is accurate and up to date and that it is not kept for longer than is necessary.
"Recent security breaches have reinforced the importance of data protection and we continue to urge the public and private sectors to take data protection seriously or risk losing the confidence and trust of individuals."
"It is equally important that individuals understand the value of their personal details and take appropriate steps to protect them. The Act gives us all important rights and protection in an age where more and more of our personal information is being collected and traded," the watchdog said.
Meeting the future of education with confidence
How the switch to digital learning has created an opportunity to meet the needs of every student, alwaysFree Download
The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana
Cost savings and business benefitsFree Download
The business value of the transformative mainframe
Modernising on the mainframeFree Download
Why PCaaS is perfect for modern schoolsFree Download