It may sound like a modern version of "rock, paper, scissors" - but actually it was just the shortest way I could come up with to express some strange anomalies in the way data breaches are handled. There's news today that a civil servant who left two classified documents on a train is to be charged under the Official Secrets Act.
According to this BBC article, the official concerned will be charged under Clause 8 (1), which runs as follows:
(1) Where a Crown servant or government contractor, by virtue of his position as such, has in his possession or under his control any document or other article which it would be an offence under any of the foregoing provisions of this Act for him to disclose without lawful authority he is guilty of an offence if—
(a) being a Crown servant, he retains the document or article contrary to his official duty; or
(b) being a government contractor, he fails to comply with an official direction for the return or disposal of the document or article,
or if he fails to take such care to prevent the unauthorised disclosure of the document or article as a person in his position may reasonably be expected to take.
In other words, leaving classified documents on a train is care-less. And that's official. The penalty for a guilty verdict under Clause 8.1 is summary conviction and a sentence not exceeding three months, or a fine. Incidentally, it looks as though the Official Secrets Act 1989 is now less strict in some respects than the current law in force. Clause 11 says that offences under Clause 8.1 are not arrestable offences; but I believe that the current government has since legislated to make all offences arrestable ones. As you will probably recall from previous posts, one side-effect of being nicked for an arrestable offence is that you can be required to contribute a DNA sample to the National DNA Database.
As it happens, the documents in this instance were apparently handed to the BBC by whoever found them, and thence to the police, who presumably returned them to the department in question. It's interesting, then, that under Clause 8.1 of the Act, there's no mention of presumed or actual damage - only of 'poor care-taking'. OK - you may say - as the BBC and the police can be considered unlikely to have passed copies to Al Qaeda, there may have been no actual damage. However, for a disclosure to be considered 'damaging' and therefore an offence under the Act, it is not necessary to prove actual damage.
According to Clause 1 (4) (b), a disclosure of information is damaging if "it is of information or a document or other article which is such that its unauthorised disclosure would be likely to cause such damage".
And there we come to the nub of it; despite public sector data breaches having hit the headlines with alarming frequency over the last couple of years, this is the first time I can remember the OSA being applied. Clause 5 is the interesting one here. Its title is "Information resulting from unauthorised disclosures or entrusted in confidence", and it runs:
"(1) Subsection (2) below applies where—
(a) any information, document or other article protected against disclosure by the foregoing provisions of this Act has come into a person’s possession as a result of having been—
(i) disclosed (whether to him or another) by a Crown servant or government contractor without lawful authority; or
(ii) entrusted to him by a Crown servant or government contractor on terms requiring it to be held in confidence or in circumstances in which the Crown servant or government contractor could reasonably expect that it would be so held;"
Given that this would seem to make the OSA applicable to a number of recent public sector data breaches, one has to wonder why it is only in the case of a classified paper document that it has been applied, and not in cases of the inappropriate disclosure of digital data.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}