Government officials could face jail if they are found to be grossly negligent in any failure to protect citizens’ data, under proposals contained in a Cabinet Office interim review of data handling procedures in government.
The call for new sanctions under the Data Protection Act is the key recommendation of the report, by cabinet secretary Gus O’Donnell.
The report said the strongest sanctions should be applied to “the most serious breaches of [the Data Protection Act’s] principles.”
“Such proposals will have to take account of the need not only to provide high levels of data security but also ensure that sensible data-sharing practices can be conducted in an environment of legal certainty,” the report noted.
It also called for an extension to the powers of the information commissioner, to enable spot-checks not just on central government departments but anywhere in the public sector.
Responding to both proposals, information commissioner Richard Thomas said he welcomed the commitment to strengthening the powers of his office and the putting in place of new sanctions for the most serious breaches of data protection principles.
“These new arrangements will not be burdensome or onerous for organisations. They are a vital step to ensure there is proper protection for personal information,” he said.
But Thomas warned it was “essential” that the ICO was “properly resourced to discharge any new responsibilities effectively.”
The Cabinet Office report also said the government should continue to develop mechanisms to support data security.
“Government-wide guidance to those involved in data handling, setting clear common standards and procedures for departments on data security, should be further reviewed,” it said, to focus on “the supoport provided to those performing particular roles, such as the senior information risk officer.”
The Cabinet Office’s next report on data security will be published in the spring.
Profile of HMRC
Report calls for Privacy Impact Assessments