Commons' committee calls for reckless-data-loss laws

MPs have called for the reckless loss of computer data and personal information to be made a crime but IT industry leaders and legal experts have urged the government to avoid knee-jerk legislation.

But the parliamentary justice select committee's demands that recklessly or repeatedly mishandling personal information should become a criminal offence received a cautious welcome.

The committee said organisations should be obliged to report losses and expressed concern further cases of data loss are still coming to light, saying there is evidence of a widespread problem within the government.

The recommendations by the committee, headed by Liberal Democrat MP Alan Beith, came in the wake of a series of admissions of lost data from government departments that began in November with HM Revenue & Customs losing the details of 25 million people claiming child benefit.

Its calls echo silicon.com's Full Disclosure campaign for legislation which would require organisations that suffer security breaches to alert their customers if there is a chance the breach has put individual's sensitive personal data at risk.

Currently only third-parties can be prosecuted under the Data Protection Act for offences such as unlawfully obtaining or disclosing personal data. This does not apply to the 'data controller', so large businesses or government departments currently can not be held responsible for breaches.

The Information Commissioners Office (ICO) welcomed the calls to make significant security breaches a criminal offence and reiterated its support for the government decision to give the ICO power to inspect an organisation without having to get its consent.

Information commissioner Richard Thomas said: "These new arrangements will not be burdensome or onerous for organisations, they are a vital step to ensure there is proper protection for personal information."

Any move to criminalise data loss could put senior civil servants and public sector IT departments at risk of prosecution.

Richard Steel, CIO of the London Borough of Newham and vice president of local government IT user group Socitm, told silicon.com: "I think probably it should be [a criminal offence] but there have to be controls.

"I think that if it was found that those responsible for operating public information databases haven't taken the proper steps to manage those systems effectively and applying the best security standards, then there might very well be action."

He added if all reasonable controls have been taken but a breach occurs, it would be harder to justify.

Jonathan Armstrong, technology lawyer with Eversheds, said the government should take care not to rush through laws as it had done with the Dangerous Dogs Act.

He told silicon.com: "I am keen we avoid going down the route where the legislation is introduced in haste and has not been thought through properly. The definition is going to have to be fairly precise and why are we not including manual data. Some of the worst breaches to date have been with manual records and when does data stop being electronic and become manual?

"My other concern is ensuring that extra resources are in place to police it. But undoubtedly it would have an effect on organisations' behaviour as you can see in other areas, such as with environmental legislation, where companies' activities can be criminalised."

He said he believes a fine would be an adequate deterrent without the need of the threat of a custodial sentence.