Encryption Laws: ICO Gains Power To Hand Out Monetary Fines In April 2010.



Yesterday, I had blogged how UPS in the UK had encrypted all of its laptop computers and smartphones as part of a settlement with the ICO, the Information Commissioner’s Office.


I had assumed that this was in order to escape any fines to be levied; however, I’ve found out that the ICO does not have the power to fine companies for ignoring the Data Protection Act.  This lack of power, though, is temporary.  Beginning on April of next year, the ICO gains the ability to hand out fines.


Once in place, it may speed up the adoption of data security tools like data encryption software from AlertBoot.


ICO Given Power to Hand Out Fines



While it’s not final, there is a strong indication that the ICO will (finally) be given the ability to hand out monetary penalties if one of the eight UK data protection principles are broken by an agency or company.  A spokesman for the ICO has come out and said so, although there are details to be hashed out.


The ability to fine comes with a caveat, however.  It can only be levied if and only if “the Data Protection Act has been knowingly or recklessly breached.”


The actual amounts that can be handed out have not been decided yet.


Can A Company Be Fined For Not Using Encryption?



I’m not a lawyer (or a barrister), so I can only give my opinion; however, it seems to me that the law is pretty clear:



7.  Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.


8.  Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.[my emphasis]


The above are points seven and eight of the 8 data protection principles, as found in the ICO’s “Framework code of practice for sharing personal information.” (All 8 follow below.)


Combine the above with the ICO’s admonitions about the lack of encryption on lost laptops that contained sensitive data, and I think that, yes, not using encryption software to protect a laptop’s sensitive contents will be reason for monetary penalties.


The trick, of course, is for the ICO to prove that a “breachee” had acted recklessly by not encrypting data.


The 8 UK Data Protection Principles



From the “Framework code of practice for sharing personal information,”  Appendix 1:




  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless
    (a) at least one of the conditions in Schedule 2 is met, and
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.


  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.


  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.


  4. Personal data shall be accurate and, where necessary, kept up to date.


  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.


  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.


  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.


  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Related Articles and Sites:
http://secretscotland.wordpress.com/2009/07/24/april-2010-could-see-first-fines-by-the-information-commissioners-office/
http://www.itproportal.com/portal/legal-it/article/2009/7/23/information-commissioner-enjoys-new-powers-fine-april-2010/
http://www.out-law.com/page-10188



Comments (0)


Let us know what you think