UK rejected data breach notification law

By EDRi · December 3, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Two reports were published on 24 November 2008 by UK Ministry of Justice
related to the data breach notification law, the powers of the Government
to share data and the Information Commissioner’s inspection powers and
funding arrangements.

One of the reports states that the law requiring that significant data
breaches should be notified to the Information Commissioner Office was
rejected, the ministry considering that the notification should be subject
to good practice and not to a law: “As a matter of good practice any
significant data breach should be brought to the attention of the ICO and
that organisation should work with the ICO to ensure that remedial action is
taken” says the report which adds: “The ICO will take into account the
failure of an organisation to notify any breaches of the data protection
principles when considering enforcement action.”

The modification of the EU ePrivacy Directive introduces such an obligation
to telecommunications companies and Peter Hustinx, the European Data
Protection Supervisor, said in April that that law should be extended to
banks, online businesses and medical bodies.

William Malcolm from Pinsent Masons said a breach notification law might
have anyway been unnecessary as the lack of dealing with responsibly in case
of data breach would lead to a breach of the Data Protection Act anyway.

The report also announced that new laws would increase the powers of the
Government to share data, introducing a fast-track procedure to allow data
sharing when “a robust case” could be made. “We intend to bring forward
legislation to confer upon the Secretary of State a power to permit or
require the sharing of personal information between particular persons or
bodies, so long as a robust case can be made to use that power. The power
will also be used to simplify the data protection framework and remove any
unnecessary obstacles to data sharing” says the report.

The new legislation will also place a statutory duty on the ICO to prepare,
publish and review a Code on the sharing of personal data that would will
provide guidance on how organisations can share personal data and promote
good practice in the sharing of personal data. “A breach of, or compliance
with, the Code will be taken into account by the courts, the Information
Tribunal and the ICO whenever it is relevant to a question arising in legal
or enforcement proceedings”.

A second report acknowledged the necessity of a framework that would
increase “public trust and confidence in the handling of personal data by
both the public and private sector.” The report proposes measures
complementing ICO’s present powers and ensuring it has the necessary and
effective instruments to carry out its regulatory functions.

The UK does not need a data breach notification law, says Government

Government announces new law for increased data sharing (25.11.2008)

ICO to get powers to audit public bodies without consent (25.11.2008)

The Information Commissioner’s inspection powers and funding arrangements
under the Data Protection Act 1998 Summary of responses (24.11.2008)

Why we don’t need a security breach notification law in the UK (19.05.2008)

EDRigram: Data breach notification – different opinions in EU bodies ?