When will organisations pay for data breaches?

More than a year after appearing on the statute books, the info watchdog's power to fine is not yet operational. Lawyer Grant Campbell urges those involved not to lose momentum.

Data losses have provided the UK press with an ongoing stream of stories for more than 18 months now.

The first big story, in November 2007, was HM Revenue and Customs' loss of discs containing child benefit data on 25 million people. Since then the press has been spoilt for choice of incidents of this nature, with a wealth of embarrassing headlines affecting the government and its contractors in particular.

The role of the Information Commissioner's Office (or ICO) as the independent body charged with policing and enforcing data protection legislation is to promote good practice and ultimately, as the regulator, to take enforcement action against organisations where they are found to have fallen short.

Currently, if the ICO hears of a security breach - either because the organisation affected has notified it of the incident or as a result of a complaint - the ICO has various assessment powers to allow it to establish the facts of the case and, crucially, to form a view on whether there has been a breach of data protection legislation.

However, even where the office concludes that an organisation has failed to comply with its statutory obligations to keep our information safe, in most cases the organisation at fault will at worst be required to give a formal undertaking to the ICO to comply in full with its data protection obligations in future, provided it co-operates with the ICO in resolving the situation.

Only in extreme cases might formal enforcement action be taken and, even then, the ICO still has no 'live' power to fine the organisation for its compliance failure.

The furore created by various high-profile data security scandals forced politicians to concede that the regulatory environment was inadequate. The government commissioned various investigations and reports and brought into force certain changes designed to improve internal procedures, including mandatory rules on data security provisions in central government contracts.

In the midst of all of this, the enactment in May last year of a power for the ICO to impose monetary penalties for serious breaches of data protection legislation emerged as an unexpected - but very welcome - strengthening of the regulatory regime. Suddenly it seemed that the lack of clout that has traditionally hindered data protection would become a thing of the past, with the protection of personal information finally becoming a board-level issue.

Click here for page two