Lords propose to criminalise information disclosure
The UK House of Lords has passed an amendment to the data protection provisions of the Criminal Justice and Immigration Bill that could substantially toughen the law on data breaches. Section 77 of the bill adds s.55A to the Data Protection Act 1998, vis.
A data controller must not–
(a) intentionally or recklessly disclose information contained in personal data
to another person,
(b) repeatedly and negligently allow information to be contained in personal
data to be disclosed, or
(c) intentionally or recklessly fail to comply with duties under section 4(4)
making these actions criminal offences.
The amendment, introduced by Baroness Miller of Chilthorne Domer, was passed in the Lords by 134 votes to 130 – a marginal defeat for the government, which opposed the changes. It still needs to be approved in the Commons if it is to become law. A clause in the Bill that proposed jail sentences of up to two years for people who steal or sell personal data was quite recently quietly shelved by the government. An alternative amendment which would only apply to public bodies or workers on contract to the public sector was rejected on the grounds that it was a false distinction. Baroness Miller said "Citizens do not mind who lost the data; it is irrelevant to them. What is important is that it is their data that have been sold, lost or left on rubbish heaps and it is they who are affected by it".