7 December 2007
We received a petition asking:
"We the undersigned petition the Prime Minister to review exisiting data protection legislation and improve the reporting of information security breaches in the public and private sectors."
Details of Petition:
"If a company suffers a security breach which puts customers’ sensitive personal data at risk, it should be obliged to warn its customers that their information may have been compromised so they can act accordingly to protect themselves. In the UK there is no requirement for companies to reveal that a breach has taken place - which means leaks of sensitive data can take place unknown to customers. We want the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors. We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals’ sensitive personal data at risk. A number of high-profile data breaches have eroded public faith in the ability of organisations to protect sensitive personal information and only a change in the law to force companies to come clean about data breaches will restore it."
Read the Government’s response
The Government takes the protection of personal data extremely seriously. The Data Protection Act 1998 (DPA) sets out the framework for data protection and any enforcement action that may be taken by the Information Commissioner and the Courts.
The Government does not discount the idea of a data breach law. However, it is not convinced that it would lead to an improvement in performance by business in regard to protecting personal information.
The Information Commissioner’s Office (ICO) acknowledges that there are occasions when notifying consumers of a breach of security might not be appropriate. The ICO plans to consider drafting some ‘checklist’ guidance to organisations - similar to guidance that exists in Canada and New Zealand.
The move towards breach notification laws in other jurisdictions - the most well known being in the United States where many states enacted laws after high profile security breaches - is an interesting development. The experience in the US has yet to be fully analysed.
In his speech of 25 October 2007, the Prime Minister announced that he and Jack Straw, the Justice Secretary, had asked the Information Commissioner Richard Thomas and Doctor Mark Walport, Director of the Wellcome Trust, to undertake a review of the framework for the use of information - in both the private and public sector - to assess whether it is right for today’s landscape and strikes the right balance in giving people the protection they are entitled to, while allowing them to make the most of the opportunities which are being opened up by the new information age. The Government will consider the conclusions of that review when it reports next year.
On 21 November, the Prime Minister announced that Government will give the Information Commissioner the power to conduct spot checks on Government Departments, to do everything in his and Government’s power to secure the protection of data.