The Information Commissioner’s Office (ICO) is being put under pressure to ensure that every public and private organisation that suffers data loss or a security breach is obliged by legislation to notify it of such events.
It has also been suggested that the ICO’s power to fine those found to have contravened the rules of the Data Protection Act sums of up to half a million pounds is far from adequate and cannot be seen as a suitable deterrent.
This latest criticism of the ICO and the legislation with which it enforces data protection standards comes from Stewart Room, a leading legal force at Field Fisher Waterhouse. Mr Room spoke out at an event, highlighting what he sees as the ineffectiveness of the ICO, with businesses simply avoiding accountability by obscuring the details of a data loss.
Mr Room said that because there was no legal mandate for businesses to notify the ICO in the event of data loss and security breaches it was unlikely that firms would choose to do so when the result could be a £500,000 fine.
Organisations have a tendency to cover up their failings in the hope that the ICO will not become aware of the incident in the future and even when their misdemeanours are revealed, the ICO cannot act upon such failure to disclose because reporting is still not a requirement.
Mr Room added his voice to the growing number of experts who believe the ICO should be able to penalise firms under an uncapped system. This could result in far more substantial fines that should prove to be a more effective mechanism by which to bring even the largest organisations in line with best practice.
Internet Service Providers (ISPs) will become the first group of businesses that are required to report data loss and security breaches to the ICO next March, but according to some observers, this change will actually make little difference because the firms claim they already contact the ICO in the event that problems are detected.
A spokesperson for the ICO said that the organisation would be looking to the government for future extensions to its powers and in the meantime would be focusing its attentions on the further education of the public in order to instil data protection best practices in the wider population.
