Tuesday, November 25, 2008

Revisiting data security breaches

Opinion: In a recent press statement on whether there ought to be data security breach notifications, it is slightly unusual for the Government to reject calls for a law that would require significant data security breaches to be notified to a country's privacy regulator.

The Government has rejected calls for a law that would require significant data security reaches to be notified to the country's privacy regulator. It said that notification to the Information Commissioner should be a matter of good practice, not law. The announcement came in a Ministry of Justice report on the Information Commissioner's inspection powers and funding arrangements, one of two reports published by the Ministry yesterday. Most states in the US have passed laws that already require organisations to notify significant data breaches. Europe is introducing a law that will apply such a requirement to telecommunications firms; and Peter Hustinx, the European Data Protection Supervisor, said in April that that law should be extended to banks, businesses and medical bodies. A House of Lords committee said in 2007 that "a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security". However, the Information Commissioner's Office (ICO) has said that it does not want such a law in the UK. The Ministry of Justice said yesterday that it agrees. "As a matter of good practice any significant data breach should be brought to the attention of the ICO and that organisation should work with the ICO to ensure that remedial action is taken," said the Ministry's report.

Source: Out-law news

Yet, given the lapses in recent losses of personal information, it is odd that this view is taken. Proposals are already in place at a European level to amend the Directive on Privacy and Electronic Communications (hereinafter "DPEC") which will include data security breach notifications by electronic communications providers. Whether this will be extended beyond electronic communications providers is not yet clear, but there appears to be a level of support for this. The rationale is not simply good data management practice but that users/consumers are fully aware of the privacy policies within an organisation and whether the data protection standards are fully in place.