RegulationSecurityWorkspace

Taxpayers Alliance Calls For Personal Liability For Data Breaches

The Taxpayers’ Alliance says p[ublic sector data loss fines should be paid by individuals, not tax payers – others sidagree

Low tax campaigners Taxpayers’ Alliance has criticised the way the Information Commissioner’s Office (ICO) deals with public sector breaches in data protection, claiming that current penalties are just a way to double tax the public.

According to the body,the £640,000 in fines paid to date by councils in breach of the DPA has gone back into central coffers, something it views as pointless.

Pass the parcel

The Alliance believes that this reshuffling of public funds is meaningless and that staff rather than tax payers should be held financially accountable for data loss.

In the statement, an ICO spokesperson is quoted as saying that “The purpose of monetary penalties is to act as a deterrent to serious non compliance with data protection obligations. The best way a public authority can protect taxpayers’ money is by not being lax in the way it looks after personal information. It is also important to note that any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Commissioner.”

Dominique Lazanski, head of digital policy, the TaxPayers’ Alliance said “Of course people in these situations should be held personally liable as if the council is fined, then that fine is paid for out of the local council taxes. In essence it is a double tax – once for collecting/storing the data and again for losing it.”

“It has been my opinion that while I think the best kind of government is limited government, we have an Information Commissioner who isn’t even doing his job in many cases and this seems like yet another example,” added Lazanski.

Threat mitigation specialist, Cryptzone has rubbished the suggestion, stating that while the idea may be superficially attractive, it could have negative results in the medium-to-longer term since such a policy would reduce employees to ‘scared rabbits caught in headlights’ as far as IT security is concerned.

Grant Taylor, UK VP of Cryptzone said “If the penalties are applied to nominated senior managers in the relevant NHS trust, council or other government agency – as is the case with corporate responsibility, for example within transportation authorities – then the public sector could be forced into building liability insurance remuneration into management salaries, as has been required by medical professionals for some time.”

Despite this, Taylor believes that discussing the potential for employee liability would “make at least some of the staff more security conscious and responsible”. He did warn that sowing the seeds of irrational fear and implementing a carrot-and-stick mentality should be avoided in favour of fair and consistent communication to bring about behavioural change.

“There needs to be a full and frank debate on both sides of the management/employee divide on this subject, but to reduce the argument to individual ICO penalties within the workforce would only result in the departure of the most talented member of staff – who will be streamed off into the private sector – with predictable results. This is what makes this argument something of a non-starter in our opinion,” he said.