Reckless or repeated breaches of data security should become a criminal offence, the House of Commons Justice Select Committee has urged in its report into the protection of private data.
The call follows the loss of 25m people’s personal details by HM Revenue and Customs last November, described by the committee as ‘truly shocking’.
The report says the HMRC debacle could have been avoided if the government had listened to Information Commissioner, Richard Thomas’ pleas for a change in data protection laws.
The MPs write in the report: “We are extremely concerned to hear from the Information Commissioner that there are more cases involving the loss of personal data which have not yet fully come to light. The warning which he issued in the summer about the dangers of mishandling personal data and the extensive security lapses in a wide range of organisations has been proved correct.
They argue there must be a balance between benefits of data sharing and risks created by running centralised databases: “The government has acknowledged that there must be a proper approach to handling personal data. There must be a sensible balance between achieving the advantages which data sharing will provide and minimising the risks inherent in maintaining large databases to which a wide range of officials and others can gain access.”
Speaking on BBC Radio 4’s Today programme, Alan Beith, chairman of the committee said Information Commissioner Richard Thomas, who gave evidence to the select committee, was warning of more personal data loss cases ‘in the pipeline’.
“[Whitehall] departments are coming to him on almost a confessional basis, quite rightly, to report that they too have got problems”, he said.
Currently, government departments cannot be held criminally responsible for data protection breaches.
Criminal offences under the Data Protection Act 1988, such as that of unlawful obtaining or disclosing personal data, be it intentionally or recklessly, only exist in relation to the Information Commissioners Office staff and persons and organisations who are not the data controller.
There is currently no criminal offence of a data controller intentionally or recklessly disclosing personal information. The Commons Justice Committee are now pushing for this to be changed.
In a statement, Beith said: “The scale of the data loss by government bodies and contractors is truly shocking but the evidence we have had points to further hidden problems. It is frankly incredible, for example, that the measures HMRC has put in place were not already standard procedure.”
Beith continued: “It’s a very serious situation and it impairs the proper use of data, which is often very important both to individuals and in areas like child protection and dealing with criminal behaviour. Clearly, criminal sanctions are not the only ones you want to use. But perhaps the issue would be taken more seriously if there was a criminal offence at the end of the line.”
In the health sector, concerns over security are high with four out of five doctors saying they are not convinced electronic care records will be secure and NHS chief executive David Nicholson wrote to all NHS trust chief executives last month instructing them to immediately review and tighten their information governance and data transfer arrangements following reports of data losses by nine NHS trusts.
A Ministry of Justice spokesperson said: “Parliament is currently considering proposals to amend section 60 of the Data Protection Act through the Criminal Justice and Immigration Bill. This will provide a custodial sanction as well as the existing fines for those found guilty of unlawfully obtaining or disclosing personal data.”
Links
Justice committee report into protection of private data