Red faces and humiliating public apologies in the wake of serious data breaches are nothing new - but soon, hapless executives at organisations that negligently disclose personal data could face jail sentences of up to two years.

Under legislation voted through by the House of Lords last week, policymakers proposed the addition to section 55 of the Data Protection Act (DPA) that would make it a criminal offence to lose persona information.

They hope this will prevent further breaches of the kind seen at HM Revenue and Customs earlier this year, when it confessed to the loss of details about 25 million UK families.

"Data controllers need to wake up to the importance of personal data, whether in the public or the private sector," said Lord Erroll, who voted on the amendment. A second amendment voted through, which gives the Justice Secretary the power to increase the penalty for deliberately trading in personal data to a two-year prison sentence, will also apply to those who negligently lose data.

These amendments - part of the Criminal Justice and Immigration Bill - still need to be approved by the House of Commons, but Tory and Liberal Democrat support is widely expected to guarantee them safe passage through Whitehall.

If passed, these amendments will also remove specific exemptions from prosecution under the DPA for government departments and certain other Crown officials. Organisations have been warned!

Comments

There are currently 3 comments about this blog.

Louis France, about 1 month ago

I'm not exonerating anyone who willfully trades personal information, but my concern is that we'll start to see a lot more passing of the buck from exec to exec... I also wonder whether we'll see a huge decline in the number of data controllers out there. Either that or perhaps they'll expect to be paid a lot more to carry the risk associated with such a role.

Mandy Shaw, about 1 month ago

I 100% agree with Ben concerning proper processes and education. I also agree that punishment of the person directly responsible is absolutely the wrong way to go. But surely punishment of executives is appropriate? One of the roles of procedure in an organisation is to minimise the impact of human error; inadequate procedure is the responsibility of senior management.

Ben, about 1 month ago

I agree with increased penalties for willful trading of personal information, but I'm not sure what good punishment will do for loss of personal data. It was established that the recent government losses were largely down to human error - introducing punishment will not erase human error. I think this is attacking the problem from the wrong direction - introducing proper processes and education need to be the starting point. Not punishment once the proverbial horse has bolted.

Leave a Reply

Name

Email Address

Your Website URL (please include http://)

Your Comment

type the text from the image