The Information Commissioner’s teeth will be delivered in the next couple of months. Regular readers will recall that last year saw intense lobbying by the ICO to be give far stronger powers to prosecute breaches of the Data Protection Act.
The Government gave in. It was rather on the back foot, having lost data with the same regularity that its MPs submitted expenses claims. So new legislation was drawn up which significantly enhances the ability of the ICO to punish those who do not take their data responsibilities seriously.
A major element of these new powers will be the ability to impose civil penalties on companies that have lost personal information. Previously, the ICO had to make a criminal case. So many more company directors could be facing up to the threat of paying for data security breaches.
How many? Any number greater than zero is likely to be an accurate estimate because there has been no regular tracking or obligation to report on such losses before. When they have become visible, it has often been a pre-emptive announcement by a company to mitigate customer concerns about their data.
What is not clear is whether the threat of fines will increase the number of such losses we are aware of or reduce them. After all, directors may decide that, if they own up, they could get hit with a fine (and may also face civil liabilities towards the data subjects), so it is better to keep quiet and hope not to get found out.
It is to be hoped that these new powers will lead to a reduction in actual data losses, whether we learn about them or not. Any organisation that is in posession of sensitive personal information – which effectively means every organisation that has computing technology – needs to be taking data security seriously.
This concern has been a long time in coming. It took 18 years for the opt-out to be added to the edited Electoral Roll, giving consumers the same rights they enjoyed in every other situation when they had to provide their personal information. It has taken 24 years for data breaches to be recognised and punished.
The assumption by many companies seems to have been that, if customers want to do business with them, surrendering control over their data is part of the deal. IT departments have concentrated on getting that data into the systems that need it. Directors have barely thought about the fact they may have other responsibilities.
Now the balance is swinging back towards the data subject – and so it should. After all, while the organisation might get fined and suffer damage to its reputation, that is as nothing to having your bank account or even identity hijacked.
Sometimes, the only thing you can do is to hurry up and wait.