By Nick Heath, 3 January 2008 16:27
NEWS
MPs have called for the reckless loss of computer data and personal information to be made a crime but IT industry leaders and legal experts have urged the government to avoid knee-jerk legislation.
But the parliamentary justice select committee's demands that recklessly or repeatedly mishandling personal information should become a criminal offence received a cautious welcome.
The committee said organisations should be obliged to report losses and expressed concern further cases of data loss are still coming to light, saying there is evidence of a widespread problem within the government.
The recommendations by the committee, headed by Liberal Democrat MP Alan Beith, came in the wake of a series of admissions of lost data from government departments that began in November with HM Revenue & Customs losing the details of 25 million people claiming child benefit.
Its calls echo silicon.com's Full Disclosure campaign for legislation which would require organisations that suffer security breaches to alert their customers if there is a chance the breach has put individual's sensitive personal data at risk.
Currently only third-parties can be prosecuted under the Data Protection Act for offences such as unlawfully obtaining or disclosing personal data. This does not apply to the 'data controller', so large businesses or government departments currently can not be held responsible for breaches.
The Information Commissioners Office (ICO) welcomed the calls to make significant security breaches a criminal offence and reiterated its support for the government decision to give the ICO power to inspect an organisation without having to get its consent.
Information commissioner Richard Thomas said: "These new arrangements will not be burdensome or onerous for organisations, they are a vital step to ensure there is proper protection for personal information."
Any move to criminalise data loss could put senior civil servants and public sector IT departments at risk of prosecution.
Richard Steel, CIO of the London Borough of Newham and vice president of local government IT user group Socitm, told silicon.com: "I think probably it should be [a criminal offence] but there have to be controls.
"I think that if it was found that those responsible for operating public information databases haven't taken the proper steps to manage those systems effectively and applying the best security standards, then there might very well be action."
He added if all reasonable controls have been taken but a breach occurs, it would be harder to justify.
Jonathan Armstrong, technology lawyer with Eversheds, said the government should take care not to rush through laws as it had done with the Dangerous Dogs Act.
He told silicon.com: "I am keen we avoid going down the route where the legislation is introduced in haste and has not been thought through properly. The definition is going to have to be fairly precise and why are we not including manual data. Some of the worst breaches to date have been with manual records and when does data stop being electronic and become manual?
"My other concern is ensuring that extra resources are in place to police it. But undoubtedly it would have an effect on organisations' behaviour as you can see in other areas, such as with environmental legislation, where companies' activities can be criminalised."
He said he believes a fine would be an adequate deterrent without the need of the threat of a custodial sentence.
Comments
There are 4 comments. Join the discussion
1. Karen Challinor
"Currently only third-parties can be prosecuted under the Data Protection Act for offences such as unlawfully obtaining or disclosing personal data"
I have pointed out on many occasions that HMG were very careful about who the DP act could be used against haven't I
"The Information Commissioners Office (ICO) welcomed the calls to make significant security breaches a criminal offence and reiterated its support for the government decision to give the ICO power to inspect an organisation without having to get its consent"
you keep putting that bit about "power to inspect" in there mate, I have a feeling it will be quietly forgotten as a "heat of the moment" comment and not to be taken seriously, at some point before serious discussions begin
the initial incident that prompted this particular "heat of the moment" comment occurred in november, quarter of a year later, the ICO still doesn't have any power over government departments or the civil service, if this had happened in a business, the business would have been restructured with an extra department with massive investigatory and regulatory powers by now
the clouds are a bit opaque today, but my personal predictions on this are that IF these measures do ever hit the statute books then anyone in the civil service or hmg will have a severe talking to and possibly a delay on their insertion in the honours list should they happen to lose half the countries records again, whereas everyone else will have a jail sentence for disclosing the name of the street they live in whilst having a conversation in a pub
2. Roger Smith
What's wrong with using the Official Secrets Act to safeguard official data?
3. Captain Sensible
A car thief steals a car, drives into someone and injures them. Who's the baddie? Thief, or car owner (who clearly did not secure their car enough). Sane people blame the thief.
A shop worker steals money from a till and uses it to buy drugs. Who's the baddie? Thief, drug dealer or employer (who clearly did not secure their till enough). Sane people blame the thief or dealer.
A thug picks up a kitchen pot in a supermarket and uses it to batter a fellow shopper unconcious. Who's the baddie? Thug, or supermerket (who clearly did not secure their pots enough), or unconcious shopper (who may just have glanced at the thug the wrong way). Same people blame the thug.
An office temp steals data to which they gave acess required for their job then sells it to identity thieves. Who's the baddie? Thieves or office manager (who clearly did not secure their data enough). Sane people would say the thives - but its probably easier to blame the office manager.
There's evidently so much stolen personal data washing around already that threatening victims misses the point and reeks of scapegoating!
Get a grip, stop threatening victims for 'not protecting themselves enough' and chase the theives.
Or pressure the organisations that clearly can't (or cant be bothered to) spot the identity thieves when they try to misuse their stolen IDs.
4. Karen Challinor
Roger - using the official secrets act would restrict HMG from using offshore agencies such as the one that lots the cartridge with the DVLA details on it, HMG doesn't like restrictions when they are applied to HMG