By Nick Heath, 28 April 2008 16:04
NEWS
Losing personal data took a step closer to becoming a criminal offence after the House of Lords backed a change in the law.
Peers supported an amendment to the criminal justice and immigration bill which would make it a criminal offence to carelessly release or lose personal data.
Full Disclosure campaign
silicon.com is aiming to make businesses and government take data security more seriously. Read more here.
The amendment, proposed by Liberal Democrat Lady Miller, would make it an offence for anyone to "intentionally or recklessly disclose information" or "repeatedly and negligently" allows information to be disclosed.
The amendment must be sanctioned by the House of Commons before it can become part of the bill.
It follows calls by the Information Commissioner Richard Thomas for the criminalisation of reckless data loss earlier this year.
A Ministry of Justice spokesman said it would consider its position on making data loss a criminal offence following the Lords vote.
He said: "The government has previously acknowledged that it needs to improve trust and confidence in the arrangements to protect personal data and is currently in the process of doing this."
In light of this development, he added the government will now look at the most appropriate course of action.
The move towards outlawing the reckless loss of data follows silicon.com's campaign for full disclosure.
The issue of public data loss shot into the public eye with the HMRC's loss of 25 million people's details on two CDs, which sparked a host of revelations about missing data in government.
Last week a government-sponsored report revealed the number of security breaches had fallen by a third in the past two years but that spending on security defences had tripled over the past six years.
Comments
There are 6 comments. Join the discussion
1. Paul Seligman
Would such a law cover disclosure of email addresses? For example, by sending an email to multiple recipients (without consent) with all addresses showing?
2. Haydn Rees
So long as, in the event of things going wrong the appropriate people go to prison, its fine.
The poor geek who tries to make an organisation take information security seriously should not be the one to stir the porridge.
It must be someone on the board (if they don't nominate a data security director/advocate, it must be all of them).
Make "Data Security Director" a position with statutory authority, responsibility, and power - requiring a little book learning and certification - to take executive action to make the organisation take security seriously, namely;
1. The use to which data is put in an organisation.
2. The downstream use (in other organisations) to which any data is put.
Audit trails. A named answerable published person who will twist in the wind if things go wrong.
Power to balance the authority and responsibility.
An assumption of culpability, which can only be mitigated by a log of the auditable measures taken to QA security risk, e.g. external Audit, and external Penetration Testing consultancy with a watching brief.
3. James Button
Yes - Get the police to do the job the Data Protection Registrar isn't bothering to do!
But - aren't the police already having enough trouble dealing with computer related crime, due to their reported lack of finance, skilled staff and equipement.
4. Karen Challinor
Mr Button - you mean get the police to do the job the ICO doesn't have the authority to do
the ICO is toothless because politicians dont want the office to have any real power
and whatever happens with the law government departments will be carefully and scrupulously made exempt from it
5. Simon
Somehow I can imagine they'll have exempted themselves from this - I wonder what they're scared of !
6. Chris Goodman
Just about all security breaches resulting in loss of data are the result of carelessness or neglect by an individual, whether an individual data handler or a management failure to properly address security.
And such careless action, or inaction, should certainly result in a punitive legal action in addition to job dismissal.