The Information Commissioner's Office (ICO) had expressed its concern at the high level of data being lost – the number of Data Protection Act breaches reported to the ICO reached 1,000 in May of this year. This figure only represents the cases reported to the ICO. It is not currently mandatory for an organisation to disclose breaches of its data security. Damages to an organisation's reputation and the prospect of a potential fine of up to £500,000 are hardly incentives to disclose breaches.
According to a recent article, it now looks like all organisations may, within the next four years, have to notify the ICO, and all individuals affected, of serious breaches relating to personal data. Issues about the mandatory notification procedure which will need to be considered are whether there should be a limit on the fine for a serious breach of data security (many data protection commentators believe this should be limitless) and what will constitute a ”serious breach” and therefore trigger the procedure.