Businesses and financial institutions are being left waiting over a new law that will impose financial penalties over data losses.
FutureSoft claimed that the data protection law (s55A DPA) could see fines delivered to companies if they fail to implement adequate measures to protect sensitive personal information over the next three months.
Under the law, the Information Commissioner should have been given the power to impose civil monetary penalties on businesses that fail to protect sensitive personal information by implementing reasonable measures, if such data is subsequently lost.
Details of the new civil monetary penalties, in line with internal government targets and ministerial commitments, were due to be published in March following Lord Bach's commitment and original target. This was in line with a later recommendation of the House of Lords Select Committee on the Constitution, to implement the penalties ‘as soon as possible'.
However despite Lord Bach's commitment to empowering the data commissioner ‘as soon as possible', the provision for statutory penalties has not yet been ‘activated' by the necessary statutory instrument.
FutureSoft understands that the Ministry of Justice was set an internal target, at ministerial level, to finalise and implement the regime of civil monetary penalties before the parliamentary summer recess, ‘at the latest'.
At the beginning of March, assistant data commissioner Mick Gorrill, admitted that the maximum penalties had yet to be prescribed, and there is, as yet, no sign of the statutory guidance.
Government good practice is to provide statutory guidance twelve weeks before legislation comes into force, the date of which has now passed.
Tim Farrell, FutureSoft CEO and data security specialist, said: “Businesses need to face up to the challenge of securing sensitive data. It is imperative that they take adequate measures to protect personal data, regardless of the timetable for regulatory sanctions. Recent data loss has seriously harmed the reputation and effectiveness of UK business. Organisations, now more than ever, need to ensure that they take reasonable care to secure sensitive personal data.
“As a minimum, personal data should be secured from downloading, be adequately encrypted in transit and access, restricted by using the appropriate technology. The reasonable measures demanded by law are likely to entail both intelligent management and the deployment of robust endpoint security.”