“Financial company loses over 600 customers’ details”; “Action taken after care provider lost unencrypted memory stick”; “Gambling worker guilty of selling 65,000 bingo players’ details”; “Advocate’s legal files lost after unencrypted laptop theft”; “Council lost memory stick containing 18,000 residents’ details”
These headlines from a selection of press releases made by the Information Commissioner’s Office (ICO) in the last three months show the scale of the data security problem. Public and private organisations are provided with vast quantities of personal data by individuals trusting that the information will remain safe and secure. At a time when the scale of data being processed continues to increase and the technology with respect to storing, sending and transferring data develops, the risks are correspondingly high. It is therefore not surprising that given the dangers of personal details falling into the wrong hands, incidents involving personal data being lost, stolen or wrongly disclosed frequently make headlines.
The recent revelation of phone hacking by unscrupulous private detectives further highlights the extent to which our personal data may fall into the wrong hands.
The approach taken by the Information Commissioner’s Office
The ICO’s guidance confirms that in serious cases of data security breach, defined by reference to the potential harm which may be caused and the number of people affected, the ICO should be notified. Otherwise, with the exception of particular requirements introduced in May 2011 with respect to providers of “publicly available electronic communications networks,” there is currently no general statutory obligation to report data security breaches to the ICO.01 Rather, the ICO makes it clear that voluntary disclosure or self-reporting of breach to the ICO would be taken into account when considering regulatory action. Given that the ICO is able to impose financial sanctions of up to £500,000, this is a very real incentive to disclose.
Further, there is no general obligation to inform the individuals affected, although again the ICO has issued detailed guidance. The ICO’s approach is strictly pragmatic, steering organisations away from wholesale notification: “Informing people about a breach is not an end in itself. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.”02
The ICO states that there will be circumstances when it would be in the interests of those affected or the general public interest to make the breach public. The ICO itself is likely to publicise any regulatory action, including the securing of undertakings from an organisation in breach.03
This issue has recently been considered in the context of the phone hacking scandal. On 7 February 2012, the Metropolitan Police made a declaration effectively admitting that their failure to warn phone hacking victims in 2006 and 2007 constituted a breach of those individuals’ Article 8 rights and have therefore settled the judicial review of this decision brought by Chris Bryant MP, Lord Prescott and Brian Paddick. In the permission hearing heard by Justice Foskett on 12 May 2011, the claimants argued that Article 8 of the European Convention on Human Rights can impose positive obligations on public authorities requiring them to take action, including warning victims of potential harm caused to them by the activities of others.04 The court drew an analogy to a local police force coming into the possession of information that suggested that elderly residents in a particular community were likely to be the target of a team of confidence tricksters and that the confidence tricksters were hacking into the mobile phones of the relatives of these elderly residents to find out when the residents would be alone in their homes. Justice Foskett considered that Article 8 would raise a positive obligation in both this example and the facts of the case, and therefore granted permission to proceed with the judicial review. Although this matter will not now be determined by the court in this case, the indication given in the permission hearing was clear.
The new European Directive and the introduction of compulsory notification
At the end of January this year, the European Commission proposed the reform of European data protection legislation.
After extensive discussion concerning the introduction of compulsory notification of data protection breaches, especially given the introduction of such provisions within US law, the proposed directive includes the following: “A personal data breach may, if not addressed in an adequate and timely manner, result in harm, including reputational damage to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, it should notify the breach to the competent national authority. The individuals whose personal data or privacy could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of an individual where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation in connection with the processing of personal data.”05
The question remains whether a statutory obligation to notify data security breaches to both the ICO and victims would result in more effective data protection. The obvious benefit would be that the ICO would be better equipped to gauge the extent of the problem, enabling more effective regulatory action. For both private and public sector organisations, the requirement to notify individuals, given the inevitable commercial and reputational consequences which would follow, should certainly create a strong incentive to strengthen data protection measures.
However, there are also areas of concern with respect to this proposal. Reflecting Judge Foskett’s reasoning in the permission hearing above, it is clear that notification of victims will be influenced by an assessment of harm or adverse effect of the data breach. This notion will accordingly need to be carefully considered and a clear body of guidance developed in order to assist those making this decision.
The cost in notifying individuals may be disproportionately burdensome in some instances, especially where there are thousands of potential victims and when victims’ contact details are not available. Those individuals and organisations with poor data security practices may be less able to deal with the fallout – and the ICO is certainly not resourced to step into the breach. Finally, as with any requirement to notify the regulator of wrongdoing, where the consequences of notification are perceived as being disproportionately onerous, including the impact on an organisation’s reputation by making breaches public, there is a risk that they may choose not to notify in circumstances where the breach would not otherwise come to light.
As the debates commence in the European Parliament, it is clear that this issue will receive further attention in the UK courts and media within the context of the on-going examination of issues arising from the phone hacking investigations. Although it is unlikely there will be a simple resolution to the issues identified, it seems clear that the extension of notification requirements is inevitable.