In a keynote address, Information Commissioner Richard Thomas said: “I am not convinced by legislation that requires companies to individually warn the public if their details have been compromised. The severity and circumstances of each breach merit a different response, and mandatory notification doesn't take this into account. It would be a significant additional burden for businesses, and could cause public 'breach fatigue'".
California introduced a compulsory notification law that has often been held up as a desirable standard in breach notification legislation. Thomas also called for CEOs and public sector bosses to shape up and take responsibility for personal data, rather than expecting IT departments to deal with the issue.
“Data protection has come in from the cold, and there is a pressing need for awarreness right at the top. Permanent secretaries and CEOs must be certain that responsibility for data is clear, and they must be certain who has responsibility for each set of data”, said Thomas.
“This responsibility rests with the whole organisation, from board downwards. Information is a toxic liability if not handled correctly.”
Thomas also welcomed recent promises from the Secretary of State Jacqui Smith that proposals for a giant government database of all telecoms and internet traffic would receive a public consultation before being put before parliament. “I feel reasured that this debate is going to take place”, he said.