The news story no organisation wants.
The Chancellor's announcement on 21 November 2007 that HM Revenue and Customs (HMRC) had lost two unencrypted CDs containing the entire child benefit database made public the most recent and most serious of a series of data security breaches at HMRC.
Since the HMRC news story broke, various other organisations from both the public and private sector seem to have been frightened into confessional mode because the Information Commissioner, Richard Thomas, has let it be known that several organisations have come forward over the past weeks to admit data security failings to him.
This latest data loss news story must further diminish the already dismal state of public confidence in organisations' ability to protect personal data. This lack of confidence was illustrated by the Information Commissioner's Office (ICO's) latest annual survey, published in September 2007. When asked which social issue concerned them most, 92% of respondents rated protection of people's details as the second most worrying issue, placing it below the prevention of crime but above the state of the NHS, and this was before the HMRC news story broke…
The legal framework
All organisations that control individuals' personal data are obliged to comply with the data protection principles in the Data Protection Act 1998 (DPA). The seventh of these principles is the one that is most relevant to data security. It states:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
The Information Commissioner is responsible for enforcing the DPA, and his office will undertake an assessment of any alleged breach of the legislation. Where appropriate, the Information Commissioner may apply to court for a warrant to enter a data controller's premises and inspect and seize records there to assist with the assessment.
If a breach is established, the Information Commissioner may serve an enforcement notice on the data controller, requiring compliance with the specific measures listed in the notice. Non-compliance with a notice is a criminal offence punishable by a fine of up to £5,000 on conviction in the Magistrates' Court or an unlimited fine in the Crown Court. Directors and other company officers should be aware that they may be prosecuted in a personal capacity if consent, connivance or neglect on their part is proved in relation to the offence.
In addition, individuals who suffer damage and, in some cases, distress due to a contravention by a data controller of any DPA requirements may bring court proceedings for compensation from the data controller. There have been few such cases to date, but the recent media coverage may raise public awareness and lead to more such proceedings being brought.
It is also worth noting that the Financial Services Authority (FSA) has wide enforcement powers in respect of regulated firms' compliance with the FSA Principles. The FSA recently fined Norwich Union Life £1.26 million for breaching Principle 3 by failing to safeguard customers' confidential information securely. Principle 3 requires firms to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
Of course, the adverse publicity that would result from a data security breach is in itself extremely damaging, as HMRC has found to its cost.
You have been warned
As the Information Commissioner said in a statement issued on 20 November 2007, "The alarm bells must now ring in every organisation about the issue of not protecting people's personal information properly… it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour."
In view of the extensive media coverage of the HMRC news story and the independent review of the incident that is currently underway, it is likely that the Government will soon take steps to increase DPA enforcement powers and sanctions. Now would therefore be a good time for organisations to audit their DPA compliance so that they do not find themselves in the headlines for all the wrong reasons.