Employers that flout data protection laws face the prospect of raids and hefty fines in the wake of the child benefit fiasco.
Information commissioner Richard Thomas is pushing for the government to increase his office’s ability to enforce the Data Protection Act by introducing a new criminal offence, and giving it the power to randomly spot check companies suspected of breaking the data rules.
Prime minister Gordon Brown gave the go-ahead for Thomas to check all government departments and agencies following the revelation that HM Revenue & Customs lost discs containing the personal details of 25 million child benefit claimants.
Thomas said it was vital that his office was given powers to audit and inspect organisations that process people’s personal information without first having to get their consent. “The onus is now on every organisation to take privacy far more seriously,” he said. “Alarm bells must ring in every boardroom. Data protection safeguards must be technically robust and idiot proof. Ultimately, [audit powers] will ensure better compliance with the law and protect people’s data.”
The CBI is likely to resist any extension of Thomas’s power, however. Back in July, the business lobby group rejected his call for the ability to inspect files without an organisation’s full consent.
But data security and legal experts have insisted the move is necessary to force companies to take their obligations seriously.
Sheila Fahy, professional support lawyer at law firm Allen & Overy, told Personnel Today: “If there was a chance of a dawn raid, then organisations would make sure employee data was secure.”
Thomas also wants to remove a layer of bureaucracy by making security breaches a criminal offence. Currently, the Information Commissioner has to issue an enforcement notice. Only if this is broken is an offence committed. “Making [security breaches] a criminal offence would serve as a strong deterrent and would send a very strong signal that it is completely unacceptable to be cavalier with people’s personal information,” he added.
Simon Davies, director of the watchdog Privacy International, said: “The government should immediately take action to introduce data breach legislation to require all organisations, private and public, to notify at-risk customers without delay.”
Should organisations be subject to data security spot checks? Vote online.