DPA Laptop Encryption is (Not) Required.

A  frequently asked question  is whether laptop encryption is required in the UK by  law.  The answer is “no”.  Legally speaking, there is no such requirement under the Data Protection Act of 1998 (DPA) and its subsequent amendments.  However, the issue appears to be more complex.  For instance, the Information Commissioner’s Office — which is […] read more

UK Data Breach Noti?cation: Not Required.

In the UK, unlike the United States of America and other nations, there is no data breach disclosure law.  Consider these words from the Information Commissioner’s Of?ce (October 2010): “Although there is currently no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the […] read more

What Offences Exist Under the UK Data Protection Act?.

The United Kingdom’s Data Protection Act (DPA) has three sections that deal with offences: Section 21, Section 55, and Section 56.  Of these, Sections 21 and 55 are linked in the sense that violation of Section 21 means an automatic violation of Section 55 (but not necessarily the other way around). Section 21 – Offences […] read more

What Type of Penalties Exist for UK DPA Violations?.

There are a number of ways that the Information Commissioner’s Office (ICO) can penalise a company for a data breach. Undertakings Enforcement Notices Monetary Penalties Custodial Sentences (Sought by the ICO) Of the four, perhaps the monetary penalties are most famous due to its head-turning figure: a maximum possible fine of  £500,000.  However, the other […] read more

UK Data Protection Act – Encryption Basics.

According to an October 2011 tracking survey by the Information Commissioner’s Office, 75% of UK organizations are aware of their legal duty to keep personal data secure.  That’s right, legal duty, as described in the UK Data Protection Act of 1998 (DPA). This represents an incredible 26% increase from 2010 figures.  The bad news, though, […] read more

Is the ICO Targeting Government When Handing Out Monetary Penalties?.

The Information Commissioner’s Office (ICO) claims that, despite the development over 2010 ? 2011, it is not targeting government bodies when handing out monetary fines. (Strictly speaking, the correct term is “civil monetary penalty”.  A fine is related to criminal offences; a violation of the eight principles in the Data Protection Act is not a […] read more

Breaching Section 55 of the UK Data Protection Act.

All of the penalties handed out by the Information Commissioner’s Office (ICO) are geared towards penalising organizations.  However, the Data Protection Act (DPA) also targets the behaviour of individuals.  Specifically, Section 55 of the DPA notes that Unlawful obtaining etc. of personal data.(1) A person must not knowingly or recklessly, without the consent of the […] read more

No Custodial Sentences for UK DPA Breaches.

Beginning in 2006, the Information Commissioner’s Of?ce (ICO) has called for imprisonment as punishment for offenders of the Data Protection Act.  The ICO made this proposal in a special report titled “What Price Privacy? The Unlawful Trade In Con?dential Personal Information”.  As of October 2011, custodial sentences are still absent as a form of punishment.  […] read more

DPA Data Controller Penalty: Maximum £500,000 Fine.

How Does A Controller Get Served A Fine? The issuance of monetary fines has a very well-defined process.  First, the ICO conducts an investigation to ensure that it’s a type of offence where a fine can be assessed.  If so, the amount is decided upon and a “notice of intent” is served to the data […] read more