US-style personal
data breach notification is not a workable model for the UK, the UK's
information watchdog told RSA delegates.
In a keynote
address, Information Commissioner Richard Thomas said: “I am not
convinced by legislation that requires companies to individually warn
the public if their details have been compromised. The severity and
circumstances of each breach merit a different response, and
mandatory notification doesn't take this into account. It would be a
significant additional burden for businesses, and could cause public
'breach fatigue'".
California
introduced a compulsory notification law that has often been held up
as a desirable standard in breach notification legislation. Thomas
also called for CEOs and public sector bosses to shape up and
take responsibility for personal data, rather than expecting IT
departments to deal with the issue.
“Data protection has come in from the
cold, and there is a pressing need for awarreness right at the top.
Permanent secretaries and CEOs must be certain that responsibility
for data is clear, and they must be certain who has responsibility
for each set of data”, said Thomas.
“This responsibility rests with the
whole organisation, from board downwards. Information is a toxic
liability if not handled correctly.”
Thomas also welcomed recent promises
from the Secretary of State Jacqui Smith that proposals for a giant
government database of all telecoms and internet traffic would
receive a public consultation before being put before parliament. “I
feel reasured that this debate is going to take place”, he said.