Data Security Breach Notification in the UK

June 2, 2008

New guidelines issued by the Information Commissioner’s Office (ICO) on data security breach management expose a surprising loophole in the Data Protection Act 1998 by making it clear that any decision to report a security breach is entirely a matter of judgement for the organisation concerned. Far from being a powerful weapon in the fight against cybercrime, the DPA is largely ineffective and the latest guidance from the ICO, which is responsible for enforcing breaches of the DPA, has reinforced the perception that it is a toothless tiger!

The ICO’s guidance was prepared in response to last year’s scandal in which millions of social security files were lost in the post by HMRC. The guidance states: ‘Informing people and organisations that you have experienced a data security breach can be an important element in your breach management strategy. However, informing people about a breach is not an end in itself. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves, or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.’ While the guidance urges organisations that have suffered a data loss – either by accident or theft – to inform the ICO immediately, it also admits: ‘At present there is no law expressly requiring you to notify a breach’ although it goes on to say that sector specific rules may lead firms and other organisations to issue a notification.

What underlies the ICO’s guidance is an apparent tolerance for low-level, low impact breaches of data security. The Information Commissioner has suggested that his office will only take action in the most serious cases, where there is serious public concern. How the public can become concerned about breaches that are not notified is not explained! Self-evidently, if the ICO is not informed of a breach it will not be in a position to make any recommendations. The ICO’s guidance does arguably reflect the fact that most data security breaches are minor and present little risk greater than possible inconvenience and frustration. In addition, the ICO could easily be swamped with an unmanageable workload if every breach were to be reported. There is clearly a careful balance to be struck between maintaining public confidence in data sharing, and operating a workable enforcement regime. However, simply turning a blind eye to all but the most serious breaches is surely not the answer.

The biggest threat for a UK business following a data security breach is bad publicity rather than any sanction under the DPA. A breach of the fair and lawful processing requirements set out in the DPA is not in itself a criminal offence. A breach is only likely to become a criminal offence if the company or organisation in breach fails to act according to the ICO’s formal recommendations. Last year, out of potentially thousands of breaches of the DPA there were just nine prosecutions, resulting in fines or conditional discharges. Even where a data security breach comes to the attention of the public, there are few effective civil remedies. An affected individual can go to the courts and ask for compensation, but only in limited circumstances. It is not enough to have suffered injury to feelings or inconvenience – the individual has to be able to demonstrate actual loss, such as financial loss, or damage to them or their property.

Given that most breaches only cause inconvenience, the threat of bad publicity is the only sanction with real teeth available for policing data security. In this context it is surprising that the DPA does not require all breaches to be notified to the ICO, let alone the public. This relaxed enforcement attitude may encourage a culture of sloppiness in the handling of personal information. Firms increasingly understand that they can act in breach of the DPA and probably get away with it. There is a pressing need to move towards a US-style data security breach notification laws whereby UK businesses would be forced to disclose if any personal information stored by them had been stolen or otherwise compromised. The ICO welcomed called for such changes in October 2007, but still no firm proposals for legislative change have followed.

It is wholly unsatisfactory that there is very little incentive for UK firms to take their data protection obligations seriously. Indeed, firms that do so risk placing themselves at a competitive disadvantage. A wholesale review of the current data security laws is underway and any new legislation must allow the public to have confidence that they are adequately protected against the risks of security breaches and that such breaches will be brought to their attention.

David Ashmore is an Associate with the Employment Team at Reed Smith: or visit