Out-Law / Your Daily Need-To-Know

Why we don't need a security breach notification law in the UK

Out-Law Analysis | 19 May 2008 | 12:47 pm | 3 min. read

OPINION: Despite many calls from Parliamentary Select Committees and other commentators, I have come to the conclusion that a separate, security-breach notification law is not needed in the UK.

The reason is simple: failure of an organisation to contact individuals at risk of identity theft following a loss of unencrypted personal data on a laptop is a likely breach of the Data Protection Act and recent changes in the law means that such breaches could attract large fines.

There are eight Principles in the Act. The Seventh Principle deals with security matters. It states that any organisation processing personal data "must" establish "a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage … and the nature of the data to be protected". The words "must" and "might" enshrined in the Principle are very important:– a risk assessment is the obvious way of identifying the types of procedures that must be implemented in order to that prevent the security breaches that might occur.

The requirement to perform a risk assessment can also extend to any transfer of personal data to a country outside the European Economic Area, for example, when an organisation uses a call centre in India. The Act's Eighth Principle allows an organisation to assess "an adequate level of protection", prior to transfer, by considering a number of risk factors. These risk factors include: "the nature of the personal data" being transferred, "the purposes for which and period during which the data are intended to be processed", "the law in force in the country or territory in question" and "any security measures taken in respect of the data in that country or territory".

Any competent risk assessment dealing with these considerations would include an analysis of the potential for the loss of personal data stored on portable media (e.g. on a flash drive or laptop) and consideration of consequences if personal data were to be lost. Such an assessment should thus identify when encryption would be the appropriate counter-measure to reduce the identified risks. If this is the case, then failure to undertake a risk assessment or to use encryption would be a likely breach of the Act's Seventh Principle, especially in cases where the data loss has been on the scale of recent events (e.g. the HMRC's missing CDs containing 26 million national insurance and bank account details).

This position is reinforced by a statement on the website of the Information Commissioner. It states: "There have been a number of reports recently of laptop computers, containing personal information which have been stolen from vehicles, dwellings or left in inappropriate places without being protected adequately. The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, enforcement action will be pursued".

In May this year, the Information Commissioner was given the ability to serve a "monetary penalty notice" on an organisation. This power, when it becomes operational, will be exercisable in circumstances where the Information Commissioner is satisfied that there has been a serious contravention of any data protection Principle, and where substantial distress has been caused by a failure to take reasonable steps to prevent that contravention.

Given the Commissioner's comments, it is clear that the loss of unencrypted personal data on a laptop would qualify as being a serious contravention that could become subject to a monetary penalty notice. This monetary penalty would be in addition to the right, granted by the Act, that allows individuals who suffer damage as a result of such a security breach to sue for compensation for that damage and any related distress.

Note also that if the correct measure to mitigate a security risk was the encryption of personal data on portable media, notification of data subjects would be the identifiable consequence if encryption procedures were not followed. It follows that failure to process personal data in order to make contact with individuals to alert them to a data loss could aggravate an existing breach of the Seventh Principle.

Indeed, failure to make contact also could lead to breaches of other data protection Principles. For example, the failure to process the personal data to inform individuals could be deemed to be unfair or inadequate in the context of the organisation's declared processing purpose.

In summary, most of the important features of USA-style, security breach notification law are now embedded into the guiding Principles of the Data Protection Act. Organisations risk being fined if they carelessly loose personal data or fail to encrypt personal data when they should have done. Individuals are protected because they have simple and free access to the Information Commissioner, who has powers to investigate any complaint and fine. Compensation for aggrieved individuals could arise from any significant security lapse.

In other words, all the features of a security breach notification law are now found in existing data protection legislation.

Dr Chris Pounder is a privacy law specialist with Pinsent Masons, the law firm behind OUT-LAW.COM, and editor of Data Protection Quarterly. These are the personal views of the author and do not necessarily represent the views of Pinsent Masons LLP.

Pinsent Masons is holding workshops on Law, Securty & Data Handling: Minimising the regulatory risks through good governance (2-page / 102KB PDF)

Global Term