On 17 June 2016 the House of Commons Select Committee for Culture, Media and Sport (“The Committee”) published its report on the inquiry into the current state of cyber security and protection of personal data. The inquiry was triggered by a cyber attack which compromised the data of TalkTalk customers, on 21 October, 2015. TalkTalk is a UK based telecommunications provider.
The Committee considered the problem of the increasing size and frequency of cyber-attacks upon personal data. The report recognised the limits of the current powers of the Information Commissioner’s Office (“ICO”), the UK’s personal data regulator, and made a number of recommendations concerning how the ICO could become both more proactive in dealing with attacks.
ICO’s Current Powers
Under UK law, the ICO helps companies comply with UK data protection law in a number of ways, including:
- through ensuring the proper collection, use and storage of personal information;
- through enforcing the Privacy and Electronic Communications Regulations in respect of electronic marketing;
- maintaining a register of companies processing personal data as “data controllers”; and
- by helping public bodies to correctly apply various Freedom of Information and Environmental Information laws, regulations and codes.
In order to achieve these aims there are a range of powers available to the ICO including the ability to bring criminal proceedings, non-criminal enforcement, consensual audits, impose fines (up to a maximum of £500,000), and make assessments of good practice. Despite the powers available to the ICO, the current volume of attacks suggests that the body needs reforming to better address cyber security concerns.
The Committee recognised the limits to the powers of the ICO and made a number of recommendations for improvement. These are focused around early prevention, increasing consumer awareness of privacy protection and increased capabilities to provide deterrence through more serious repercussions where a breach occurs.
In order to facilitate prevention of attacks the Committee recommended that the ICO be enabled to undertake non-consensual audits of companies, particularly in the health and local government sectors. It also recommended annual reports on the preventative measures that a company is taking. The combination of these should help to keep the ICO informed as to whether or not there are issues of compliance with data protection regulation and enable a more proactive approach to data protection.
The Committee also proposed that the ICO needs more powers to increase customer awareness of their data protection rights. The report recommended imposing fines where a company does not offer adequate guidance to customers on how to verify the authenticity of communications. Under the Committee’s plans, this would be complemented by the proposed ‘privacy seal’ which would work on a traffic light system, demonstrating to consumers that a company follows high compliance standards, is making progress towards this, or is “yet to have taken the issue seriously.” These recommendations should help the ICO to ensure that consumers are able to make informed decisions on whether or not a company demonstrates “good privacy practice” in handling their personal data.
Finally, where an attack has already taken place it was recommended that the ICO needs to be able to access a broader range of remedies, such as custodial sentences by bringing into force sections 77 and 78 of the Criminal Justice and Immigration Act 2008. This would discourage individuals from disregarding the proper handling of data by treating it as “merely” a corporate compliance obligation. The committee also recommended introducing fines for failure to report breaches which would increase dependant upon the time taken to report an incident, therefore incentivising early reporting.
Implications of the GDPR
The Committee made a number of recommendations which overlap with the changes that will come into force in 2018 through the EU wide General Data Protection Regulation (“GDPR“).
The GDPR will increase the powers of the ICO in a number of ways. Companies who commit serious infringements will be liable to pay fines of up to 4% of global annual turnover or €20 million, whichever is the greater amount. The regulations will also introduce mandatory reporting for personal data breaches within a 72 hour timeframe of the breach taking place. Finally, the GDPR will empower the ICO to place greater emphasis on ensuring the transparent handling of personal data by companies, and on the importance of having clear, easily digestible but also comprehensive privacy notices, which tell individuals about how their personal data is used and the rights that they have under the GDPR.
The Committee report acknowledged that the GDPR will “help focus attention on data protection” but sought to make its own recommendations to complement these and increase the ICO’s powers further.
The direction of travel indicated by both the Committee’s report and the changes in EU legislation are clear. We are moving towards a world where personal data handling is treated with the utmost seriousness by regulators. Those regulators will have a mandate to ensure that individuals are provided with clear, upfront information about how their data is looked after, and that strong redress is taken when things go wrong. It is the companies who take a pro-active approach – who engage with their customers, their suppliers and their regulators to ensure that they are providing accurate information about data processing, and that they have the right information security systems in place – that will be best placed to survive in this new landscape.