Robin Wilton's esoterica

       
 
« Still no clarity on... | Main | "Odd One Out" round »

07 Dec · Fri 2007

Liability for data breach damages


I was at the Enterprise Privacy Group's (EPG) "Postcards from the Future" workshop yesterday, and as you might imagine, a lot of our discussion was driven by the highly topical matter of the HMRC data breach. This time last week, I blogged about some of the foreseeable long-term liability issues which might arise if the missing disks are either discovered to have fallen into malicious hands, or simply never turn up again. I also mentioned the readiness with which the Chancellor assured us that the banks would pick up the tab for any resulting identity fraud.

Yesterday, in the course of an extremely constructive workshop, one of the participants made the following very interesting observation: Section 13 of the Data Protection Act 1998 runs as follows (the italics are mine):

13 Compensation for failure to comply with certain requirements

(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if -
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes.

(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned."

Of course, in the absence of some kind of forensic meta-data this still appears to leave the onus on the data subject (in however many years' time) to establish the connection between this data breach and any damage suffered, but the prospect of that potential liability cannot be a comforting one for the data controllers in question.

Posted by racingsnake @ 01:09 PM GMT+00:00
 
 
 
 
Comments:

Post a Comment:
Comments are closed for this entry.
 
« December 2009
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
   
       
Today

unsubscribe from human rights abuse in the war on terror
Locations of visitors to this page
Such views as I express in this blog are based on my own opinions, experience and judgements. They do not necessarily represent the policy or views of my employer. It is not my intention to offend readers in any way. If you find anything on this blog offensive, please contact me in the first instance.
Robin Wilton
www.flickr.com

Links to recent entries

[RSS Newsfeed]

Valid XHTML or CSS?

[This is a Roller site]
Theme by Rowell Sotto.
What's this?
 
© racingsnake