Privacy tzar speaks out against data breach notification laws

But Information Commissioner admits breach levels remain worrying

Ian Williams, vnunet.com 29 Oct 2008

In his closing keynote at the RSA security conference in London, Information Commissioner Richard Thomas decried current high levels of data insecurity, calling this the year of data breaches.

The Information Commissioner's Office (ICO) has received reports of 277 data breaches across a range of sectors since November last year, when the HMRC lost 25 million child benefit records, Thomas revealed. He added that he thought this was just a fraction of the true number, with many more not being reported.

He began his speech by pointing out that data protection was previously considered a nuisance and something to blame, but changes in recent years have turned this on its head, with data protection and freedom of data being highly topical issues.

"It is alarming that despite high-profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance, the flow of data breaches and sloppy information handling continues," said Thomas.

"The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously."

He said there is a need to focus on the detriment to individuals, organisations and society that data losses can have. The ICO's responsibility is to educate, regulate and enforce, and in the future it would be bringing a heavier hand, stronger laws and greater scrutiny, he added.

"Personal information is now the lifeblood of government and business," said Thomas, focusing on the positive aspects of the data explosion seen in recent years.

"Used properly and intelligently, personal information can lead to better customer service, improved efficiency, more effective law enforcement and protection of the vulnerable and a better quality of life for everyone. But this means respecting and protecting people's privacy and personal information has never been more important."

Thomas then warned of the tremendous risks of centralising large amounts of sensitive data.

"It is time for the penny to drop. The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made," he said.

"Put simply, holding huge collections of personal data brings significant risks."

The Home Office responded to Thomas's comments regarding large centralised databases, saying that no decisions have been taken yet and that there will be consultation regarding projects such as ID cards and a central communications database in the New Year.

"Of course there is a balance between privacy and our liberty, which is why we have said we will be consulting on this and seeking a political consensus," said a Home Office spokesman.

"Our ability to intercept communications and obtain communications data is vital to fighting terrorism and combating serious crime, including child sex abuse, murder and drugs trafficking. Communications data — that is, data about calls, such as the location and identity of the caller, not the content of the calls themselves — is used as important evidence in 95 per cent of serious crime cases and in almost all security service operations since 2004.

"There are no plans for an enormous database that will contain the content of your emails, the texts that you send or the chats you have on the phone or online," he added.

Thomas also used his speech to argue for increased powers and resources for the ICO. In the near future, the ICO hopes to be able to enforce civil penalties where there has been deliberate or reckless treatment of data, as well as carry out spot checks, inspections and audit without consent. The ICO is also looking to boost its resources through tiered notification fees.

He added that is was unfortunate that it took the massive slew of losses to bring this into the light, but also that it was important not to overreact.

In this regard, Thomas went on to say that he was not in favour of data breach legislation similar to that in the US, whereby there is a statutory duty to notify individuals when a breach occurs. He believes that it would be better for the ICO to conduct a risk assessment on a case-by-case basis and take a decision depending on the level of risk and the appropriate response.

The ICO is currently investigating 30 serious cases and has already taken enforcement action against several organisations including HMRC, the Ministry of Defence, the Department of Health, several mobile and internet providers and others.

Thomas is due to step down from his role in the middle of 2009, but he believes his successor and the ICO as a whole is set to be in a much stronger position for the future.

See also: