You are here: silicon.com > Research > Special Reports > Full Disclosure

Downing St responds to silicon.com's Full Disclosure campaign

Organisations to get data breach disclosure guidance

By Gemma Simpson

Published: 10 December 2007 13:09 GMT

Organisations are to get guidance from data protection watchdog the Information Commissioner on notifying their customers of a security breach.

The plans have been revealed by the government in response to silicon.com's Full Disclosure campaign, which calls for a review of the data breach notification laws in the UK.

As part of the campaign silicon.com launched an online petition on the Downing Street website calling for the Prime Minister to improve the reporting of information security breaches in the public and private sectors. The e-petition received more than 300 signatures.

The government said the move towards data breach notification laws in other jurisdictions - such as seen in the US - is an "interesting development", but said it is not convinced this would lead to better protection of data.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

But the response did not completely dismiss the notion of UK data breach legislation, and said: "The government does not discount the idea of a data breach law. However, it is not convinced that it would lead to an improvement in performance by business in regard to protecting personal information."

Instead of a data breach law, the written response hinted towards a voluntary "checklist" that will offer companies guidance on what to do following a data breach.

The response said: "The Information Commissioner's Office (ICO) acknowledges that there are occasions when notifying consumers of a breach of security might not be appropriate. The ICO plans to consider drafting some checklist guidance to organisations - similar to guidance that exists in Canada and New Zealand."

The UK's data protection watchdog already published new guidelines for individuals to better understand how and why organisations use their data under the current Data Protection Act in August 2007.

Downing Street's response to the silicon.com petition also said the government takes "the protection of personal data extremely seriously" and that the Data Protection Act sets out the framework for data protection and any enforcement action which may be taken by the Information Commissioner and the courts.

In November, Prime Minister Gordon Brown gave the ICO the power to conduct spot checks on government departments, in light of the HM Revenue & Customs breach which saw 25 million child benefit claimants' details 'lost in the post' - making it the largest UK data breach in history.