Law proposed to target data loss

Peer pressure on Goverment to make reckless data loss a criminal offence

A new law that would make it a criminal offence to disclose personal information intentionally or recklessly has been proposed by the House of Lords.

A Liberal Democrat amendment to the Criminal Justice and Immigration Bill, was similar to one proposed by the Conservatives, was passed by the Lords at the end of last month, despite Government opposition.

The move comes after the ongoing disclosures of data breaches including the loss of computer discs containing 25 million child benefit records last November.
Richard Thomas, the Information Commissioner has since called for a law to make putting other people’s personal data at risk a criminal offence.

In January the Parliamentary Justice Committee backed Mr Thomas's calls for such a law. Liberal Democrat peer Baroness Miller of Chilthorne Domer, who introduced the amendment said: "Data controllers currently do not face anything like adequate sanctions if they intentionally or recklessly disclose information, or indeed are repeatedly negligent.”

If the amendment is to become law it will need to be approved by MPs in the House of Commons. However the Government originally opposed the amendment and although it was defeated in the Lords by 134 votes to 130, it could use its majority in the Commons to overturn this.

Lord Hunt of Kings Heath at the Ministry of Justice said the Government wanted to wait until it had reviewed past problems with data loss before legislating.

However Baroness Miller said that the public could not afford to wait.

"Basically the public will have to continue with this lack of protection for at least another year or two, during which time, at the rate of the past 12 months, millions more pieces of data will have gone missing," she said.

If the amendment is passed it will continue to be policed by the Information Commissioner’s Office. It would become a criminal offence to "intentionally or recklessly disclose information contained in personal data to another person, repeatedly and negligently allow information to be contained in personal data to be disclosed, or intentionally or recklessly fail to comply with [their] duties ".

The ICO has guidelines on its website about determining what constitutes personal data and incorrect data protection procedures and unencrypted devices might constitute offences.