ICO takes enforcement action against MOD and HMRC
Richard Thomas, Information Commissioner, said today: "I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred"
'The reports that have been published today show deplorable failures at both HMRC and MOD. Whilst these breaches have been highly publicised and involve big numbers, sadly they are not isolated cases. It is deeply worrying that many other incidents have been reported, some involving even more sensitive data. It is of fundamental importance that lessons are learned from these breaches. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations. No chief executive can now say that data protection doesn't matter.
'It is beyond doubt that both Departments have breached Data Protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them. To comply with the terms of the Enforcement Notices we will require HMRC and the MOD to use their best endeavours to implement all the recommendations outlined in the reports. We will also be monitoring the situation closely. We will require progress reports to be published after 12, 24 and 36 months documenting in detail how the recommendations have been, or are being, implemented to improve Data Protection compliance. Failure to comply with an Enforcement Notice is a criminal offence.
'I welcome the seriousness of the requirements and guidance for central government in the Cabinet Secretary's Data Handling Report; this material should help chief executives across the whole of the public, private and third sectors achieve better compliance with the Data Protection Act and keep people's personal details more secure.'
Failure to comply with an Enforcement Notice is a criminal offence. The Criminal Justice and Immigration Act creates tough new sanctions for the Information Commissioner's Office (ICO) – but the legislation has not yet been brought into force. This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. The prospect of substantial fines will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously.
