The Ministry of Justice (MoJ) is to ask citizens whether the Information Commissioner's Office (ICO) should have stronger powers and whether current laws are continuing to safeguard people's personal data.
The MoJ is to issue a call for evidence on current data protection legislation. It is also asking for views on how the European Directive and the Data Protection Act are working, the impact of data protection on individuals and business and whether the current powers and penalties of the Information Commissioner could be strengthened.
Lord McNally, the Minister of State for Justice, admitted that since the Data Protection Act laws were introduced in 1998 the way people live their lives has changed and ‘we are handing over the keys to our personal information almost daily'.
He said: “We want to gather evidence and views on whether the current data protection laws are working in light of social and technological changes since the mid-1990s.
“As individuals, citizens and consumers, we have the right to know our data is properly protected, and the Government is keen to gather evidence about how helpful the existing legislation is, as well as ideas on how the current data protection regime can be improved.”
Dave Everitt, general manager EMEA at Absolute Software, welcomed the move, saying that it was right for the government to open debate on UK and European data protection laws for public input.
He said: “After all, it's the general public who are often the ultimate victims in the event of a data leak. However it's important to remember that in many cases the problem is ignorance, rather than deliberate deviance when it comes to data protection law.
“In opening up legislation for input from businesses and consumers, the law will hopefully become more transparent and advice given to businesses by regulators should encompass all forms of data protection available to them. Businesses must understand they can take action to stop data loss. As we've seen time and time again, simply hoping it won't happen is no way to reassure the public that their data is safe.”
Christopher Jenkins, business manager for security at Dimension Data, also said that the laws should constantly evolve in line with how individuals and businesses interact with and manage data.
He said: “With employees now accessing the likes of Facebook and Twitter through work, and demanding the use of devices such as iPads and smartphones on the corporate network, the likelihood of company data to be lost or stolen is extremely high.
“What we need now is for a real incentive - whether that be increased fines from the ICO or public naming and shaming - for businesses to review and take seriously how private and confidential data is managed and to ensure that if data is lost, it is protected in such a way to prevent it from being used maliciously.”
Earlier this week, a survey by Unisys found that a third of UK employees use a personal device for work purposes. Ewen Anderson, managing director of IT consultancy Centralis, admitted that this could be part of the problem, as it is simply not possible to prevent the deliberate removal of personal data from systems unless they are made so inflexible as to prevent their legitimate use.
He said: “Organisations can only take measures to prevent accidental loss, and that is increasingly difficult as employees move away from traditional workplaces and to access via mobile devices. The best practice should extend to conditional access which checks the client device and user's identity before data can be viewed and checks encryption is in place before any data can be transferred.
“The act, or at least its enforcement, therefore needs to recognise some balance between best practice, scale and culpability – as well as the reality that work is increasingly carried out away from easily controlled and monitored environments.”
In agreement was Colin Woodland, VP EMEA at IronKey, who said that often people will be given a laptop, a phone and a solution such as an IronKey, and be told that it has to be used for data storage, as it is manageable.
He said: “Companies should be used to safe practise as part of their business practice on securing data and it shouldn't take ICO enforcement. However companies understand the guidelines but what are they getting fined for? Is it losing five records or five million, what are the boundaries? This is part of what we are trying to suggest, but people do not understand the requirements. They will have to fine to be seen as making some sort of effort, businesses are aware of the ICO but not what the rules are.”