The UK does not need a data breach notification law, says Government

Out-Law News | 25 Nov 2008 | 5:58 pm | 2 min. read

The Government has rejected calls for a law that would require significant data security breaches to be notified to the country's privacy regulator. It said that notification to the Information Commissioner should be a matter of good practice, not law.

The announcement came in a Ministry of Justice report on the Information Commissioner's inspection powers and funding arrangements, one of two reports published by the Ministry yesterday. (See today's other stories on the reports: Government announces new law for increased data sharing, OUT-LAW News, 25/11/2008; and ICO to get powers to audit public bodies without consent, OUT-LAW News, 25/11/2008)

Most states in the US have passed laws that already require organisations to notify significant data breaches. Europe is introducing a law that will apply such a requirement to telecommunications firms; and Peter Hustinx, the European Data Protection Supervisor, said in April that that law should be extended to banks, businesses and medical bodies. A House of Lords committee said in 2007 that "a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security".

However, the Information Commissioner's Office (ICO) has said that it does not want such a law in the UK. The Ministry of Justice said yesterday that it agrees.

"As a matter of good practice any significant data breach should be brought to the attention of the ICO and that organisation should work with the ICO to ensure that remedial action is taken," said the Ministry's report.

It is already mandatory for Government departments to share details of significant actual or potential losses of personal data with the ICO. The ICO has also produced guidance for data controllers on when data breaches should be notified as a matter of good practice.

"The ICO will take into account the failure of an organisation to notify any breaches of the data protection principles when considering enforcement action," said the Ministry's report.

William Malcolm, a data protection specialist with Pinsent Masons, the law firm behind OUT-LAW.COM, said that a notification law may have made little practical difference.

A failure to deal responsibly with a data breach could result in a breach of the Data Protection Act in any case, he said.

"The expectation of the ICO and the Financial Services Authority in the UK is that organisations will notify if breaches involve large numbers of individuals or have serious consequences for a particular individual," said Malcolm. "Most organisations understand this and do work with regulators, notifying the type of breaches they know they want to hear about."

"Having a law would risk regulators being inundated with notifications thus making it more difficult for the regulator to evaluate when the organisation making the disclosure thinks it's serious," he said.

"Assessing whether or not to notify a regulator is always a difficult issue. Organisations need to carefully weigh the pros and cons," he said. "In our experience it's always better to come clean rather than face having to own up on the back of a customer complaint directed to the regulator."

Pinsent Masons and Amberhawk Training are holding an Update session on 26th January in London where this topic forms part of the agenda. If you are interested in this event, please email [email protected] for a brochure.