UK Information Commissioner gets tough on data security

UK Information Commissioner gets tough on data security

Losing a laptop is 'gross negligence', Thomas tells Lords committee

UK Information Commissioner Richard Thomas has argued for much tighter data protection laws in Britain, insisting that those who lose data should end up in court.

Thomas told the Lords Constitution Committee that those who knowingly or recklessly flout data protection rules should be prosecuted and fined up to £5,000.

"If a doctor or hospital [employee] leaves a laptop containing patient records in his car and it is stolen, it is hard to see that as anything but gross negligence," Thomas told the Lords.

"The Commission can currently issue enforcement notices, but these do not impose any element of punishment for wrongdoing."

Thomas suggested that one-off cases should not be prosecuted, but that systematic abuse needs greater censure.

He also proposed that companies should be inspected without warning for data security, rather than the current system which relies on consent.

Jamie Cowper, director of European marketing at PGP Corporation, said: "Given the recent spate of data breaches at NHS trusts, perhaps Thomas's approach is the only way to get the medical establishment to take this problem seriously.

"However, by placing the emphasis on protecting the device (specifically laptops) rather than the confidential data itself, he could be accused of treating the symptoms rather than providing a cure.

"It is not fair to expect doctors to be data security experts. The NHS should respond to the proposed legislation with a programme of data security education and a systematic roll-out of data protection technology such as encryption."

Increasing use of mobile devices by government and industry is creating a major problem with data leakage. A recent survey of local councils found that barely half use data encryption, even though over a third had lost a laptop.