Justice secretary Jack Straw has proposed that the Information Commissioner's Office should receive many of the extra powers it has requested.
These powers include the ability to impose fines on data controllers for deliberate or reckless loss of data and to inspect public-sector organisations for compliance with the Data Protection Act (DPA) without prior consent.
The Ministry of Justice and the Information Commissioner's Office (ICO) are discussing the size of the fines but in a response to the Data Sharing Review — carried out by information commissioner Richard Thomas and Wellcome Trust director Mark Walport — published on Monday, the ministry said: "We can see the merits in using an established, existing model and are considering the implementation of one similar to that operated by the Financial Services Authority [FSA]".
The FSA has issued fines in excess of £1m to financial-services companies that have lost personal data. Thomas and Walport asked for such fines to be in place by 8 November and, although this has not happened, the ministry's response said it hopes to introduce the provision shortly.
"The changes we propose today will strengthen the information commissioner's ability to enforce the DPA, and improve the transparency and accountability of organisations dealing with personal information," said Straw.
"This is very important if we are to regain public confidence in the handling and sharing of personal information," he added. The government will bring forward legislation to support the changes when parliamentary time allows.
In a change that will increase costs for many state-sector organisations, the ICO will replace the existing flat fee for data controllers with a series of charges based on organisational size.
The ICO will also be able to serve a warrant on anyone to provide information to determine compliance with the DPA; impose a deadline and location for the provision of information necessary to assess compliance; publish guidance on when organisations should notify it of data breaches; and publish a statutory data-sharing code of practice, to be used in legal cases involving data protection.
"We welcome these new powers, which reflect the importance of data protection, sending a strong message that it must be taken seriously," said an ICO spokesperson. "We would have preferred the power to inspect private-sector organisations' compliance with the DPA without their consent, but we broadly welcome the announcements today."
Read this
The future of netbooks
What technologies will the netbooks of the future incorporate as standard?
Straw has provided the ICO with many of the powers Thomas and Walport asked for. In the ministry's response to their review, it said that all departments have started publishing information on data losses in their annual resource accounts, have appointed senior information risk officers and are ensuring that all organisations that help deliver services are aware of their responsibilities.
The ministry agreed that organisations should make it more clear what they intend to do with personal information, and said the ICO is working on a code of practice on fair processing notices. The ministry also supported the recommendation that organisations publish details of how long they keep data and in what ways they share it.
The ministry also gave its support to recommendations on better training for staff, with those handling data given awareness training on appointment and, at least, annually. A recommendation for legislation for a fast-track process to allow data-sharing where there is "a robust case", also gained ministry approval.
Although government departments are now required to report details of significant actual or potential losses of personal data to the ICO, the ministry said it does not intend to introduce wholesale data-breach-notification legislation as exists in the US — something Thomas and Walport had not recommended.
Talkback
This is the same document that would give the DoJ the authority to grant themselves permission to reuse data collected for one use for a completely different use without reference to parliament or anybody else.
So the commissioner can march in and catch them with their pants down, and they can just redefine down as up on a whim and walk away.
This step helps focus the mind on what data is owned by a department and where it is but technical measures are required to manage and control the data such that if data is lost then the department knows what data was actually lost.
One example is the ubiquitous USB stick.
In order to ensure the effective enforcement of a USB device policy, I recommend the following 3 key steps:
1. Quantify the risk of unmanaged USB devices on your network. A good way would be to do a device scan. Any data protection solution should have this capability.
2. Define data policy on the use of USB sticks and the data and file types transferred to these devices. Identifying what file types or desktops should automatically apply encryption would be part of this effort. Data shadowing could be utilised for sensitive information and selective auditing would track what files are being distributed on specfic media types. If required, IT administrators are able to capture the complete binary code of the data transfered and save it on a centralised server. This can be assimilated to an entire mirror copy of the data and used for auditing purposes.
3. Enforce the policy. While you can do this through technology solutions you must also adopt a enterprise wide educational effort and ensure the buy-in of all senior management. Focused education and awareness is paramount to policy enforcement.
OK so these people can now be fined, who pays the fine when the government departments lose data and to whom do the fines get paid.
More lip service from a shambolic government trying to con the public into thinking they know what they are doing.
This post has been removed by a moderator.
This post has been removed by a moderator.
This post has been removed by a moderator.