Will the threat of jail improve data protection?

Stephen Pritchard

Next month, UK data protection laws will be strengthened again.

From 6 April, fail to observe the Data Protection Act, and your company faces a 500,000 fine. Until now, the maximum fine the Information Commissioner's Office (ICO) could issue was 5,000; arguably not even a slap on the wrist for those who fail to protect data.

In many ways, the move should be welcomed. The ICO had only limited powers to go after organisations that put personal data at risk.

In practice, the Information Commissioner has had to rely on naming and shaming those behind data breaches, or leave it to other agencies, such as the Financial Services Authority, to wield a bigger stick.

The FSA has handed out some pretty hefty fines already, most notably to HSBC, which was forced to pay more than 3m for multiple data breaches.

The ICO will not be able to go that far next month, although the organisation is pressing for still tougher penalties, including possible jail terms.

In October, the Ministry of Justice issued a consultation, which proposed a custodial sentence of up to two years, for those who knowingly or recklessly breach Section 55 of the Data Protection Act.

Whilst the Government considers the results of the consultation, the ICO will have to rely on financial penalties alone. And the effectiveness of the ICO's sanctions will depend largely on how it chooses to use its new powers.

As Richard Turner, chief executive of data security company Clearswift, points out, most data breaches that are not deliberate are preventable. Better user education about the Act, as well as better data loss prevention technology, will help companies comply.

Businesses, though, might not invest in those measures if the threat of heavy fines, or even jail time for their executives, hangs over them. So for the Act to be enforced effectively, the ICO will need to distinguish between genuinely accidental data losses, those that are caused or aided by negligence, and those that are deliberate.

The largest fines will need to be reserved for those data losses where someone acted with intent.

But if the goal is to improve data security overall rather than simply punish offenders then the ICO could do worse than to follow the FSA's model and reduce its penalties for organisations that co-operate with its investigations. That way, companies have an incentive to fix the problem once and for all.

The ICO has issued guidance on how it will use the new penalties here.

Stephen Pritchard is a contributing editor at IT PRO.

Comments? Questions? You can email him here.