Renzo's points are all good.
But perhaps this is one of those issues where the ICO should push the
envelope a bit, and if a prosecution were to fail, this would be a good
argument for stiffening the law?
Marchini, Renzo wrote:
> I can't see it as useable at all. Three or four problems immediately
> jump out:
>
> 1. It is - as observed by Jim - obtaining or disclosing, and not
> allowing a third party to gain access through a lapse of security. It
> is a stretch of the language to say posting an unsecured CD in the post
> as being "disclosing" the personal data.
>
> 2. It then needs to be "reckless" (harder to prove than negligence -
> needs I think a deliberate disregard of obvious risks (and perhaps of
> one of which the individual was in fact aware) - rather than simply
> failing to take steps that ordinarily would have been taken by the
> reasonable person),
>
> 3. The real difficulty is that it also needs to be "without consent of
> the data controller". The security is set by the data controller. All
> you could prosecute is the individual concerned. The higher up the
> management you go the more the consent of the "management" is likely to
> be the consent of the "data controller".
>
> 4. In any case, 55(2)(c) gives a defence to the sender of the said CD
> (or his/her management) by saying s/he reasonably believed s/he would
> have had consent of the data controller (or in practice his/her direct
> manager).
>
> It is simply not designed to capture adequacy of security issues.
>
>
> ________________________________
>
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of davidwyatt
> Sent: 01 January 2008 21:17
> To: [log in to unmask]
> Subject: Re: [data-protection] Appropriate Security???
>
>
>
> Interesting observation Jim re obtaining and disclosing - wonder
> if others view unauthorized disclosing as a useable offence where
> disclosure occurs due to inadequate security..
>
>
>
> I'd observe that a security breach discloses data. Therefore can
> the ICO use section 55 as an offence committed by management particular
> if security procedures have been recommended by the data controllers own
> appointed data protection or security specialists and not implemented
> due to inadequate budgeting.
>
>
>
> David Wyatt
>
>
>
>
> ________________________________
>
>
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> J.S.M.Whitaker
> Sent: 28 December 2007 17:04
> To: [log in to unmask]
> Subject: Re: [data-protection] Appropriate Security???
>
>
>
> I suspect that getting a conviction for "reckless" may well be
> so difficult as to be unlikely. I believe that the court would have to
> be persuaded that the offender knew of the possible offence and did not
> care whether it happened or not.
>
>
>
> In any case section 55(1) relates to "obtaining or disclosing"
> not failing to look after the security of the data in an adequate
> fashion.
>
>
>
> Regards
>
>
>
> Jim
>
>
>
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of davidwyatt
> Sent: Friday, December 28, 2007 4:28 PM
> To: [log in to unmask]
> Subject: [data-protection] Appropriate Security???
>
>
>
>
>
> Given the frequency of reported security lapses and no sign of
> any criminal prosecution by the ICO under section 55 for reckless
> disclosures, is the criminal offence sanction in section 55 of any
> value?
>
>
>
> I notice that current guidance implies it is acceptable to
> lessen the physical security on laptops as long as data is encrypted? Is
> this not sending a poor security message.
>
>
>
> e.g Do all organizations make the individual personally
> responsible to always secure laptops in unattended vehicle? If not why
> not?
>
> .
>
> Most organizations these days argue they operate on a risk basis
> and not a compliance basis. Is this not reckless?
>
>
>
> I was advised throughout my own risk practitioner training that
> statutory compliance is an issue and not a risk and should be managed
> and resourced as such.
>
>
>
> If statutory compliance is accepted as part of risk management
> then compliance standards fall?
>
>
>
> Discuss / comment
>
>
>
> David Wyatt
>
>
> ________________________________
>
> ________________________________
>
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the
> body of the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>
> * Suspending emails from all JISCMail lists: send SET *
> NOMAIL to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET * NOMAIL>
> * To receive emails from this list in text format: send
> SET data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> * To receive emails from this list in HTML format: send
> SET data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
>
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
> of an otherwise blank email to [log in to unmask]
>
> Any queries about sending or receiving messages please send to
> the list owner [log in to unmask]
>
> (Please send all commands to [log in to unmask] not the
> list or the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
>
> ________________________________
>
> ________________________________
>
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the
> body of the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE
> data-protection>
> * Suspending emails from all JISCMail lists: send SET *
> NOMAIL to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET * NOMAIL>
> * To receive emails from this list in text format: send
> SET data-protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> * To receive emails from this list in HTML format: send
> SET data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
>
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body
> of an otherwise blank email to [log in to unmask]
>
> Any queries about sending or receiving messages please send to
> the list owner [log in to unmask]
>
> (Please send all commands to [log in to unmask] not the
> list or the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
>
> ________________________________
>
>
>
> This e-mail is from Dechert LLP, a law firm, and may contain information that is confidential or privileged. If you are not the intended recipient, please delete the e-mail and any attachments, and notify the sender. Dechert LLP is a limited liability partnership registered in England & Wales (Registered No. OC306029) and is regulated by the Solicitors Regulation Authority. A list of names of the members of Dechert LLP (who are solicitors or registered foreign lawyers) is available for inspection at its registered office, 160 Queen Victoria Street, London EC4V 4QQ.
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|