Privacy

Privacy law will bury us under paper mountain, warns data watchdog

The UK's privacy tsar Christopher Graham has said that proposed EU legislation will bury his office in paperwork and restrict its ability to guard against serious misuse of personal data.

The UK's privacy tsar has warned that proposed EU laws, forcing companies to notify consumers when their personal details have been compromised, will paralyse his office by burying it in paperwork.

The forthcoming General Data Protection Regulation will require organisations to notify data protection authorities of a "personal data breach", preferably within 24 hours.

Speaking yesterday at the Infosecurity Europe 2012 conference the UK information commissioner Christopher Graham said the proposed EU legislation will result in his office being swamped by data breach notifications, reducing its ability to focus on serious breaches of privacy.

"What I don't want is what is proposed in the new draft EU regulation, which has mandatory breach notification for every single breach, whatever its size, whatever its significance," he said.

"That's going to turn the Information Commissioner's Office (ICO) into a paper pushing factory where we have no margin to tackle those subjects where there's greatest consumer detriment. We'll simply be processing stuff.

"You will have a slightly under-resourced data protection authority struggling through a mountain of paper. The ICO will have precious little ability to raise our eyes from the desk in order to decide what we do."

The draft EU regulation offers a broad definition of the type of data breaches that will require notification. It defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data". Personal data is defined as "any information relating to a data subject".

There is currently no legal requirement for UK organisations, other than communication service providers, to notify the ICO about a data breach. The ICO advises organisations to notify it when there has been a serious breach, which it defines as a breach involving sensitive data, such as healthcare information, or one affecting a large number of people.

It will likely be at least a couple of years before the draft EU regulation becomes legally binding, as it will need to be debated by the European Council and Parliament before being ratified and adoption by European member states may take several more years.

Graham added he hopes his concerns about the draft regulation will be addressed by amendments before it becomes law.

A spokeswoman for the European Commission said that draft regulation is designed to require notification relating to "serious breaches" and "doesn't mean every little breach" will need to be reported.

The draft regulation also requires organisations to notify people whose personal details have been compromised in many instances. The regulation states that such notification should occur "when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject".

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

3 comments
andrew232006
andrew232006

If simply being notified creates so much paperwork he should update his process. Is the current system to only respond to what companies choose to let him know about? They have no vested interest in protecting people from information theft. Personally I'd like to know when my personal data has been stolen.

HAL 9000
HAL 9000

We don't want to have to spend the money to secure our Services so what we propose is a Mandatory Reporting Scheme for every Data Breach so that the Regulators are unable to do the job that they where put there for. Have you never watched Yes Minister/Prime Minister? This time however it's the nasty European's doing it to the British Civil Service so they should be well and truly screwed over. :^0 Col

bboyd
bboyd

Under pain of cost, stop having data breaches. They should not be happening, they cost your company goodwill and brand image every time they happen regardless of the Law.

Editor's Picks