The Data Protection Act 1998 (the Act) imposes eight principles on those controlling the processing of personal data in the United Kingdom. The seventh data protection principle is to ensure that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Neither the seventh principle nor the Act go as far as imposing a statutory requirement to notify either individuals concerned or regulatory bodies in the event of a loss of personal data security breach.
Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, between late 2007 and late 2009 over 800 data security breaches were reported to the Information Commissioner’s Office (ICO). While mistakes accounted for 195 of the data security breaches, 262 were the result of theft, often where the personal information was held on an unencrypted portable device. This level of reporting reflects guidance given by the Information Commissioner that serious breaches should be brought to the attention of his Office so that the nature of the breach or loss can then be considered, together with whether the data controller is properly meeting his responsibilities under the Act.
There is no definition of “serious breach” but the ICO suggests that in the event of data loss an assessment be made of the potential harm and the extent of harm caused by the loss. The ICO considers “harm” to include possible exposure to identity theft or private information being made known to others. Where there is significant actual or potential harm as a result of the loss, whether because of the volume of data, its sensitivity or a combination of the two, there should be a presumption to report the loss to the ICO.
It is difficult to be precise about what constitutes a large volume of personal data. Every case must be considered on its own merits but the ICO considers a reasonable rule of thumb is any collection of data containing information about 1,000 or more individuals. However, it may be appropriate to report much lower volumes in some circumstances where the risk is particularly high perhaps because of the circumstances of the loss or the extent of information about each individual. If the data controller is unsure whether to report or not, then the presumption should be to report.
Organisations are being urged to “talk” to the ICO when breaches occur on the basis that whilst this might result in regulatory action, organisations have a duty to act responsibly and trying to cover up breaches which subsequently come to the attention of the ICO is likely to result in “tougher regulatory sanctions”, which may be linked to the ICO’s increased power to levy fines of up to £500,000 which are coming into force in April 2010.
Serious breaches should be notified to the ICO either online or by post and should include the following information:
- The type of information and number of records
- The circumstances of the loss/release/corruption
- Action taken to minimise/mitigate the effect on individuals involved including whether they have been informed
- Details of how the breach is being investigated
- Whether any other regulatory body has been informed and its response
- Remedial action taken to prevent future occurrence
- Any other information you feel may assist the ICO in making an assessment
- Additionally, the ICO finds it useful to know whether or not the media has been informed of the loss or if there are plans to inform the media.
The ICO will record the loss, assess the nature and seriousness of the breach and the adequacy of any remedial action taken. The ICO may then either determine that no further action is required or investigate the circumstances of the breach and require the data controller to undertake a course of action to prevent further breaches. In certain instances the further action may include formal enforcement action turning such a requirement into a legal obligation.
Although there is no general publication of notifications of breach, the ICO may recommend that the data controller make a breach public where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so. Additionally, the ICO has a policy of publicising all regulatory action it undertakes, including obtaining formal undertakings from data controllers.
There are a few simple steps that businesses can take to minimise the risk of security breaches involving personal information occurring in the first place: Ensure that all portable media devices containing personal information are encrypted, provide adequate staff training and give “proper consideration” to restricting staff from downloading large volumes of data onto portable devices, and ensure that personal information held within buildings and offices is protected by adequate security arrangements to prevent theft or loss of the data.
What is clear for businesses is that brushing breaches under the carpet in the hope that those breaches do not result in harm to individuals which subsequently comes to the attention of the ICO, or relying on the letter or the law with regard to breach notification is often not the best option.
Most US States already have data loss notification laws in force. The US Congress is currently considering a national data breach notification law requiring businesses to notify customers and the Federal Trade Commission if sensitive information has been exposed due to a security breach. In Europe the Article 29 Working Party continues to press for a data breach notification law. In the United Kingdom, although Government departments and many National Health Service organisations are obliged to inform the ICO when a data breach occurs, those in the financial services sector must notify the Financial Services Authority, and communications companies will be subject to new data breach notification rules under changes to the e-Privacy Directive (2002/50/EC). However, there is currently no general legal obligation on data controllers to notify the ICO in the event of data loss. The ICO has tried to limit the impact of this legal lacuna using strongly worded guidance.
The ICO’s new powers to impose monetary penalties for serious breaches of the data protection principles are expected to come into force on 6 April 2010. The ICO will be able to order organisations to pay up to £500,000 where they are found to be deliberately or recklessly breaching the data protection principles. The ICO has now published its final guidance on its new power to impose monetary penalties and whilst not particularly enlightening, this does state that a monetary penalty notice will only be appropriate in the most serious situations, taking into account the sector, the size of the organisation, and the financial and other resources of the data controller before determining the exact amount. Organisations should note, however, that the ICO says that it will not impose a monetary penalty where the breach is discovered in the process of a voluntary assessment of the data controller. In the light of the new powers, and the warning of tougher sanctions for failure to notify breaches, businesses should consider carefully the extent to which they are prepared to commit resources to ensuring general data protection compliance and working with the ICO as a matter of best practice.