DATA PROTECTION controllers should face sanctions for deliberate or reckless breaches of information protection law, a Government-appointed review group has concluded.
The obligations of controllers to report security breaches should be set out in a statutory code of practice, which would outline when disclosure of data breaches is mandatory, and failure to highlight such incidents should lead to prosecution, the report by the Data Protection Review Group states.
The report says the Office of the Data Protection Commissioner should develop its information breach investigation and audit activities in a targeted way, with a particular focus on organisations holding sensitive personal data.
The group consisted of of senior Government officials, academics and Data Protection Commissioner Billy Hawkes, and was established in November 2008 by Minister for Justice Dermot Ahern.
“Legislation should provide for the timely publication of the outcome of data protection audits, as an aid to good practice and in the interests of transparency,” the report says.
“The code should be reviewed on a regular basis by the Data Protection Commissioner and amendments submitted to the Minister as necessary to keep the legislation current.”
Last month, Mr Hawkes expressed concern that State bodies were using draconian powers to access personal information for measures such as clamping down on welfare fraud.
Mr Hawkes previously carried out a detailed audit of the Department of Social and Family Affairs in 2008 following a number of high-profile cases where personal data was viewed by staff who did not have need to access it.
Mr Ahern welcomed the report and said improving levels of compliance with emerging international practice in data security, and preventing data breaches, would boost people’s trust in doing business electronically.
He will now consider the group’s recommendations and data protection developments at EU level before deciding if Irish legislation needs to be updated.