Portuguese Portuguese
home about us products & services gps tracking ifortress R&D regulations news contact us

Data Breach News

ICO supports prison sentences for serious breaches

By Tom Brewster
October 7, 2010

In a response to an MoJ call for evidence, the ICO says it supports prison sentences for serious breaches of the Data Protection Act.

The most serious breaches of the Data Protection Act should carry with them the threat of imprisonment, according to information commissioner Christopher Graham.
In the Information Commissioner's Office (ICO) response to a Ministry of Justice call for evidence on the effectiveness of the European Data Protection Directive and the Data Protection Act (DPA), the watchdog said prison sentences should be a deterrent against breaking the law.

"It is widely evidenced that the greatest threat to information security in organisations is individuals, yet the DPA only provides for a fine for those individuals who knowingly or recklessly obtain or disclose personal data, or procure someone else to do this for them," the body said.
"The information commissioner considers that the trade in personal information justifies the possibility of a custodial sentence for the most serious offences."

Currently, individuals who breach the DPA can be issued with a £5,000 in the Magistrates Court, or an unlimited fine in the High Court.
Introduction of prison sentences was agreed on in 2008, but no one has been punished with a custodial sentence to date.

The response also noted the commissioner's support for enforced notification, again for more serious breaches.
"Although there is currently no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the information commissioner believes serious breaches should be brought to the attention of his office," the ICO said.

However, if disclosure does become a requirement, there needed to be a better definition of what constitutes a serious breach "on the basis of risk," the body suggested.
"If all security breaches are to be notified, this could create the potential for huge and disproportionate administrative burdens for both businesses who have to notify breaches regardless of their seriousness, and for the regulator who has to administer those breach notifications," the watchdog added.

"This could divert scarce resources from other, more effective regulatory activity."

Source: IT Pro
Copyright © 2008 • Proton Data Security privacy policy contact us