short lines

Data Security Breaches

March 2009

In recent months there have been an increasing number of reports in the media of high profile personal data security breaches. Although a number of these breaches have placed a spotlight on public sector bodies and government departments, compliance with data protection laws, including those concerned with the security of personal data, is equally important in the private sector.
In light of heightened public awareness of data security issues following reported breaches, this note considers:

briefly, organisations’ security obligations under the Data Protection Act 1998 (“DPA”)
laws and guidance surrounding notification of breaches (now and in the future); and
potential future penalties for an organisation which suffers a security breach.

The Seventh Data Protection Principle

Under the seventh data protection principle of the DPA, ‘data controllers’ must take appropriate technical and organisational measures to prevent unauthorised or unlawful processing of, and accidental loss, destruction or damage to, ‘personal data’.

The extent of the security measures required of a data controller are determined in part by the nature of the data to be protected (e.g. particular care must be taken with sensitive personal data) and by the harm that may result from a breach of security. Organisations are therefore encouraged to adopt a risk-based approach to determining what measures are appropriate.

What if a breach occurs?

To comply with obligations under the seventh principle, it is suggested that data controllers consider implementing a personal data security breach management plan. The Information Commissioner’s Office (“ICO”) has identified four key steps, as follows, for adopting such a plan and has expanded on these in a Good Practice Note[1]:

containment of damage and recovery of losses (where possible);
assessment of the risks arising as a result of the breach;
evaluation of the cause the breach and effectiveness of the response; and
notification of breaches where required (specifically addressed in the section below).

To Notify or Not to Notify?

There is currently no legal obligation requiring data controllers to notify a breach of personal data security, although sector specific rules may apply[2]. In response to the Data Sharing Review Report[3], the Government:

agreed with the Report’s recommendation that notification of a data security breach should not be mandatory (instead in cases involving substantial damage and distress, failure to notify should be taken account of by the ICO when determining any penalties); and
confirmed it has decided not to implement data breach notification legislation (similar to that in force in the U.S) here (at present)[4].

However, the ICO is of the view that serious breaches of security which result in loss, release or corruption of personal data should be reported to the ICO. This has driven a substantial rise in the number of personal data security breach notifications, particularly over the past three months[5].

Whether a breach warrants notification to the ICO and the data subjects concerned will depend on a matrix of:

the potential harm to data subjects;
the volume of personal data lost, released or corrupted;
the sensitivity of the personal data lost, released or corrupted;
regulatory or voluntary code adherence;
seriousness of the breach;
benefits that might be obtained by disclosure;
whether notification assists with security and so compliance with the seventh principle;
whether notification will help the data subjects to whom the personal data pertains;
loss of reputation for the data controller; and
loss of customer goodwill by the data controller.

As evidenced by published statistics, only 1 in 9 notifications (the most serious) are being investigated by the ICO. Therefore, while regulatory action by the ICO remains a consideration, in reality it is likely to have an impact on notification decisions in circumstances of the most serious breaches only. In all decisions of whether or not to notify, the data controller will set the benefits of maintaining public confidence in data sharing (through not disclosing) against operating a transparent business operation.

Why comply? ICO’s Enforcement Powers

The ICO has various powers to carry out investigations into suspected breaches of data protection law, however it has been arguing for some time that its powers, sanctions and resources need re-enforcement to ensure compliance. As a result, the Criminal Justice and Immigration Act 2008 introduces a new section 55A-E into the DPA, providing the ICO with the power to impose substantial penalties on data controllers in certain circumstances. In particular, a monetary penalty notice may be served where there is a “serious contravention” of the data protection principles which is likely to cause substantial damage or substantial distress, and either the contravention was deliberate or the data controller ought to have known that there was a risk that such a contravention would occur but failed to take reasonable steps to prevent the contravention.

Section 55A of the DPA is not yet in force, but is expected to go before Parliament during the autumn of 2009. ICO guidance on the new powers, including the circumstances in which it would be appropriate to issue a monetary penalty notice and how the amount of the penalty would be determined, is expected to be issued around the same time once approved by the Secretary of State. The Data Sharing Review[6] recommended that the maximum level of the penalty which may be imposed should mirror existing sanctions available to the Financial Services Authority, setting high, but proportionate, maxima related to turnover. The Response to the Data Sharing Review Report[7] states that Government is working with the ICO to determine suitable levels of the maximum penalty possibly on a model “similar” to that operated by the Financial Services Authority.

It is open to discussion how much of a deterrent Section 55A will prove to be and how often is it likely to be used by the ICO. Even when it comes into force, the nature of the offence means that the ICO will only be able to use the new powers in serious cases where there is essentially a willful disregard for the requirements of the DPA or grossly negligent approach to compliance. In addition, the Government has announced its intention[8] to grant an exemption from the monetary penalty where data controllers consent to a “good practice assessment” (essentially an audit of a data controller’s processing) in order to encourage compliance. Nevertheless, it seems clear that the ICO is hoping that the new powers will help to strengthen the UK’s data protection regime and send a clear message to data controllers that data protection requirements cannot be ignored or dismissed lightly.

Future Legislation and Notification Requirements

Although the UK Governmental position results in private sector organisations currently escaping a mandatory notification regime in respect of data security breaches, this absence of regulation may not continue.

A new e-Privacy Directive[9] is currently making its way through the European legislative process and includes a proposal to establish a mandatory system for breaches of personal data security. The details of such a system are still to be finalised, with the European Parliament, the Commission and, most recently, the Council taking slightly different approaches. The European Data Protection Supervisor (“Supervisor”) issued a second opinion on the review of Directive 2002/58EC on 9th January 2009[10]. The main debate surrounds:

the entities to be subject to the obligation to notify (providers of publicly available electronic communications services and potentially, as supported by the European Parliament and the Supervisor, information society services, such as online retailers, on-line banks and on-line pharmacies);
the trigger for notification to individuals. The crux of the issue is the level of harm required to trigger the notification requirement – the Supervisor favours “reasonably likely to harm”, the standard put forward by the Commission’s amended proposal, rather than the standard adopted by the Council, which requires notification only in the event of a “serious risk to privacy”); and
the entity responsible for determining whether a security breach meets the requirement to notify (either the entity which caused the breach or the appropriate national authority).

Whatever the outcome, the e-Privacy Directive could yet result in a widespread mandatory notification scheme being introduced into UK laws.

Calum Murray

[1] See: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/guidance_on_data_security_breach_
management.pdf

[2] Note however that for public sector organisations the fallout from the HMRC/Child Benefit matter has lead the Information Commissioner to require Government departments to notify data breaches to the ICO.

[3] The Data Sharing Review Report was published on 11 July 2008 and was produced by Dr Mark Walport of the Wellcome Trust and the Information Commissioner. The purpose of the report was to independently review the framework for the use of personal information in the public and private sectors: http://www.justice.gov.uk/reviews/datasharing-intro.htm

[4] See: http://www.justice.gov.uk/docs/response-data-sharing-review.pdf

[5] See ICO press release: http://www.ico.gov.uk/upload/documents/pressreleases/2009/data_breaches_ico_statement20090209.pdf

[6] See http://www.justice.gov.uk/reviews/datasharing-intro.htm

[7] Op cit note 3

[8] See the MOJ’s response of 24 November 2008 to the consultation paper on the Information Commissioner’s Inspection Powers and Funding Arrangements under the DPA http://www.justice.gov.uk/docs/information-commissioner-consultation-responses.pdf

[9] Proposed Directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation

[10] See http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2009/09-01-09_ePricacy_2_EN.pdf