25 Nov 2008 12:31
Justice secretary Jack Straw has proposed that the Information Commissioner's Office should receive many of the extra powers it has requested.
These powers include the ability to impose fines on data controllers for deliberate or reckless loss of data and to inspect public-sector organisations for compliance with the Data Protection Act (DPA) without prior consent.
The Ministry of Justice and the Information Commissioner's Office (ICO) are discussing the size of the fines but in a response to the Data Sharing Review — carried out by information commissioner Richard Thomas and Wellcome Trust director Mark Walport — published on Monday, the ministry said: "We can see the merits in using an established, existing model and are considering the implementation of one similar to that operated by the Financial Services Authority [FSA]".
The FSA has issued fines in excess of £1m to financial-services companies that have lost personal data. Thomas and Walport asked for such fines to be in place by 8 November and, although this has not happened, the ministry's response said it hopes to introduce the provision shortly.
"The changes we propose today will strengthen the information commissioner's ability to enforce the DPA, and improve the transparency and accountability of organisations dealing with personal information," said Straw.
"This is very important if we are to regain public confidence in the handling and sharing of personal information," he added. The government will bring forward legislation to support the changes when parliamentary time allows.
In a change that will increase costs for many state-sector organisations, the ICO will replace the existing flat fee for data controllers with a series of charges based on organisational size.
The ICO will also be able to serve a warrant on anyone to provide information to determine compliance with the DPA; impose a deadline and location for the provision of information necessary to assess compliance; publish guidance on when organisations should notify it of data breaches; and publish a statutory data-sharing code of practice, to be used in legal cases involving data protection.
"We welcome these new powers, which reflect the importance of data protection, sending a strong message that it must be taken seriously," said an ICO spokesperson. "We would have preferred the power to inspect private-sector organisations' compliance with the DPA without their consent, but we broadly welcome the announcements today."
Straw has provided the ICO with many of the powers Thomas and Walport asked for. In the ministry's response to their review, it said that all departments have started publishing information on data losses in their annual resource accounts, have appointed senior information risk officers and are ensuring that all organisations that help deliver services are aware of their responsibilities.
The ministry agreed that organisations should make it more clear what they intend to do with personal information, and said the ICO is working on a code of practice on fair processing notices. The ministry also supported the recommendation that organisations publish details of how long they keep data and in what ways they share it.
The ministry also gave its support to recommendations on better training for staff, with those handling data given awareness training on appointment and, at least, annually. A recommendation for legislation for a fast-track process to allow data-sharing where there is "a robust case", also gained ministry approval.
Although government departments are now required to report details of significant actual or potential losses of personal data to the ICO, the ministry said it does not intend to introduce wholesale data-breach-notification legislation as exists in the US — something Thomas and Walport had not recommended.
Story URL: http://news.zdnet.co.uk/security/0,1000000189,39562167,00.htmCopyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.