Out-Law News 2 min. read

Privacy watchdog advises on how to deal with data loss

Leaders of organisations which lose personal data should think carefully before telling customers, employees or regulators of the incident, the Information Commissioner's Office (ICO) has said. New advice says that notification should have a clear purpose.

Some privacy campaigners want the UK to pass the kind of data breach notification law that exists in California and other US states. Such laws force organisations to make public any personal data losses.

Backers of the laws say they increase transparency and accountability and force organisations to take privacy more seriously. Detractors say they can desensitise the public to the dangers of lost data.

"Informing people is not an end in itself," says new advice from the ICO for organisations which accidentally lose personal data. "Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints."

"Have you considered the dangers of ‘over notifying’?" says the advice. "Not every incident will warrant notification and notifying a whole 2 million strong customer base of an issue affecting only 2,000 customers may well cause disproportionate enquiries and work."

The ICO's advice is designed to guide organisations in how they should prepare for and deal with an accidental loss of the personal data of employees or customers. It says that organisations should prepare a recovery plan outlining how it will deal with any future data loss.

"This will often involve input from specialists across the business such as IT, HR and legal and in some cases contact with external stakeholders and suppliers," it says. "Where appropriate, inform the police."

The guidance says that data losses can verge from the relatively trivial, in which the biggest harmful effect is inconvenience, to extremely serious, in which highly personal data or information that could be used to commit identity fraud is lost.

"Perhaps most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen," it says.

On the issue of notification the ICO reminds organisations that though there is no overarching law requiring them to make a breach public, individual sectors have their own rules, some of which might order notification.

In deciding whether or not to publicise a breach, the guidance says that organisations should consider whether it would do the people whose data has been lost any practical good.

"Can notification help the individual? Bearing in mind the potential effects of the breach, could individuals act on the information you provide to mitigate risks, for example by cancelling a credit card or changing a password?" it says.

Notifying the ICO will not necessarily be enough. "You might also need to consider notifying third parties such as the police,  insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals, and trade unions," says the guidance.

The guidance is designed for companies whose data loss is accidental, but Information Commissioner Richard Thomas has also addressed the problem of deliberate and malicious use of personal data.

Two years ago Thomas proposed that those found guilty of deliberately disclosing or receiving people's personal data without their consent receive a jail term. The Government has now proposed that the Criminal Justice and Immigration Bill be altered to permit a jail term for those convicted of buying or selling personal data.

Thomas has called on Parliament to ensure that this measure – to be clause 76 of the Act – is passed in the face of mounting opposition.

"There have been powerful last-ditch efforts to get clause 76 removed from the Criminal Justice and Immigration Bill," said Thomas. "There has been widespread support for the government’s decision to strengthen the law, and if data protection is to be taken seriously it is vital that the government and other parties should stand firm against any possible amendments. I am determined to stop the pernicious illegal market in personal information which our reports exposed."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.