The Government has rejected calls for a law that would require significant data security reaches to be notified to the country's privacy regulator. It said that notification to the Information Commissioner should be a matter of good practice, not law. The announcement came in a Ministry of Justice report on the Information Commissioner's inspection powers and funding arrangements, one of two reports published by the Ministry yesterday. Most states in the US have passed laws that already require organisations to notify significant data breaches. Europe is introducing a law that will apply such a requirement to telecommunications firms; and Peter Hustinx, the European Data Protection Supervisor, said in April that that law should be extended to banks, businesses and medical bodies. A House of Lords committee said in 2007 that "a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security". However, the Information Commissioner's Office (ICO) has said that it does not want such a law in the UK. The Ministry of Justice said yesterday that it agrees. "As a matter of good practice any significant data breach should be brought to the attention of the ICO and that organisation should work with the ICO to ensure that remedial action is taken," said the Ministry's report.
Source: Out-law news