UK doesn't need data-breach notification laws

 

Gallery

Posted on 27 Nov 2008 at 09:18

The Government has announced it will not be implementing a data-breach notification law.

Government departments are already required to notify the Information Commissioner's Office of any potential data losses, and the data-breach notification law would also have made it compulsory for private businesses.

A similar law is already in effect across the US, however, the ICO reported in July that it saw little benefit in enacting it here. Instead the ICO has produced guidance for businesses on when it should be notified of data breaches as a matter of good practice. The Government agrees with this stance.

"After considering the analysis of the experience of the US in the area of data-breach notification legislation, the Government is not intending to implement similar legislation to that in operation in the US," says the Ministry's report, dismissing the law.

"As a matter of good practice any significant data breach should be brought to the attention of the ICO and that organisation should work with the ICO to ensure that remedial action is taken.

"The ICO will take into account the failure of an organisation to notify any breaches of the data protection principles when considering enforcement action."

The Government's stance could put it at odds with the EU, which plans to force companies to own up to data breaches as part of its new ePrivacy Directive.

The decision also flies in the face of a report into personal internet security by the House of Lords Select Committee on Science and Technology, which concluded that data breach notification "would be among the most important advances that the United Kingdom could make in promoting personal Internet security."

Author: Stuart Turton