How the UK got data breach notification over the line

UK organisations took privacy more seriously after the country's Information Commissioner's Office made data breach notification "best practice", according to former commissioner Richard Thomas CBE.

Thomas, who was information commissioner between 2002 and 2009, told iTnews that the British regulator took the step after several embarrassing, high profile government and bank breaches in 2007.

Making senior executives of banks personally responsible for enforceable undertakings after breaches also inspired the UK business community to change its attitude to data protection, he added.

"I insisted that the undertakings be signed by the chief executives of the banks personally. I have no doubt that really raised the profile of the issue inside the banks. From that point on they took it more seriously. Other financial services and commercial operations took it more seriously the same way that government was taking it more seriously," he said.

"There are still too many lapses. It's by no means perfect, although it has got better."

During Thomas's tenure, the UK information commissioner had no powers to impose fines for breaching privacy laws.

In addition, the ability to use enforcement orders against organisations was only a theoretical possibility that has never been tested.

However, the commissioner could resort to audits and name-and-shame measures, he said.

"We made it clear that if we had discovered a breach and that we hadn't been told about it then we would take it more seriously," Mr Thomas said.

Australian uncertainty

Thomas' comments come amid uncertainty over whether Australia's new federal government will proceed with the former Labor government's plan to pass laws forcing organisations to notify regulators and the public of serious data breaches.

The legislation was among a handful of bills that failed to pass the Senate before parliament was prorogued in June.

Yesterday, long-time champion of the mandatory notification bill, Australian federal Privacy Commissioner Timothy Pilgrim, declined to reveal whether he had discussed the bill with federal Attorney-General George Brandis.

Arguably, Australia's privacy commissioner is in a good position to adopt the UK practice of recommending that organisations notify the regulator of data breaches rather than making it law.

From March next year the Australian privacy commissioner will have the power to impose hefty financial penalties on organisations for serious and repeated breaches. Compliance with the UK commission's best practice recommendation became riskier for organisations after it was given powers to impose fines.

"I think you would either be a very brave or foolish organisation to notify now," Thomas said.

In the last two to three years of Thomas's tenure the UK commission received 515 voluntary notifications. He estimates that since then it has received about 1500 voluntary notices.

However, Thomas said he was sceptical of laws requiring notices to individual consumers. His view, he said, had been coloured by the experience of North American privacy regulators.

"People just get bored by it, almost. They don't understand its relevance to them personally and they're not sure what they're supposed to do about it so I've always thought that the value of notification was to regulators.

"The top priority is to stop the breach. When I was commissioner we put out a lot of advice on our web site as to what you should be doing".