I have been asked to reply.
The Department was pleased at the successful conclusion to the two year review of the European Electronic Communications Framework last month. This included adoption of the so-called citizen’s rights amending directive which improves existing regulations on privacy and electronic communications (Directive 2002/58/EC). Officials in BIS are embarking on a major consultation and transposition exercise that will see these revisions, including the new requirements for data breach notification, implemented into UK law over the next 18 months.
These revisions introduce a new, specific definition of “personal data breach”, which includes accidental loss; and the article on data security has been significantly expanded to address issues of access to, storage of, transmission and processing of such personnel data. The competent national authority (Information Commissioner’s Office) will now be able to audit the security policies of operators and any breach of personal data requirements will have to be notified to the authority and individuals concerned.
At the current time, organisations and individuals can be subject to enforcement orders and sanctions under the provisions of the Data Protection Act (DP A) 1998, following prosecution in a magistrates or crown court (£5,000 in the former, unlimited in the latter). In 2010, provisions of the Criminal Justice and Immigration Act 2008 take effect whereby the Information Commissioner could also issue a monetary penalty for a breach of data privacy provisions in that Act.
The revised e-Privacy Directive contains a new article which specifically addresses investigation and enforcement of the improved regime and provides for penalties, including criminal sanctions, that are both proportionate and dissuasive. The Department will be consulting consumers, operators and other stakeholders on developing this regime over the next 18 months.