« PCI DSS Gathering Momentum….
What a good idea… »

Prison for DPA breaches

The new Information Commissioner, Christopher Graham, has recognised that current penalties for breaching the UK Data Protection Act are derisory and has called for the introduction of prison sentences for reckless breaches.

Excellent.

But not enough - the ICO is only responding to pathetic sentences given to private investigators and others who actively and deliberately breached the DPA. As I have said on previous occasions, we need to go much further. The only way that we will develop a real culture of compliance is if directors of companies that breach the DPA are personally liable for fines and prison sentences for failing to ensure that their companies took adequate steps to comply with the DPA.

After all, if larger organisations took appropriate steps to protect personal data, it would be that much harder for the unscrupulous smaller operators to breach their security to illegally obtain data, wouldn’t it?

This entry was posted on Monday, September 7th, 2009 at 9:02 am and is filed under Compliance, Data Breaches, Data Protection, ISO 27001, IT Security, White Collar Crime. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Prison for DPA breaches”

  1. Patrick Innes Says:
    September 29th, 2009 at 9:29 am

    Thank you, Alan, for stressing and pressing that the imposition of stricter sanctions against very senior manangement, especially of major corporations (for they, after all, are the ultimate data controllers), for reckless management of personal data.

    When I was part of the UK Data Protection Forum, during the early days of the UK’s 1984 DP Act, I felt, and stated vociforously, that trading in personal data should be a criminal offence. If that was not to be the case, I compaigned for an opt-in data collection process because that would mean only a 2% collection rate, rather than the 98% that does happen. The miniscule ‘opt-out’ box and its associated barely-readable (especially for those with poor eye-sight) text do not lead to fair collection in my view.

    I certainly hope your influence can have the results we would like to see. It would be wonderful if the sphincters of the leaders of British industry were tightened by the threat of stricter application of our DP legislation.

  2. An Information Manager Says:
    December 17th, 2009 at 2:55 pm

    I could not disagree more.

    Information is created and disseminated by individuals, not their managers or directors. If the misuse of personal information is to be stopped we need to address the lack of knowledge and concern at the lowest levels in organisations. I have often experienced this.

    What you are suggesting here is tantamount to the finance functions ignoring financial training and allowing staff do what they wish with their companies financial assets; and then blaming / jailing their FD for the fraud that ensues.

    Sanctions against directors will help with only the grossest corporate breaches of the DPA. For real and lasting change basic end user training and consequences for individual breaches is what is really needed.

  3. Mike Stephenson Says:
    January 6th, 2010 at 2:27 pm

    I think both the previous comments have a point and I have expanded my view on this issue on my own blog at http://stemi08.wordpress.com/

Leave a Reply