Case law: self-reporting data breaches does not grant immunity from fines
Businesses should not be deterred from owning up to and reporting data breaches, despite a ruling of the Upper Information Rights Tribunal that self-reporting will not give organisations immunity from being fined.
This update was published in Legal Alert - December 2013
Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.
Failure to report serious data breaches is likely to attract heavier sanctions than any fine imposed following self-reporting; and the ICO looks favourably on companies that self-report.
In a recent case, an NHS trust appealed a decision of the Information Commissioner's Office (ICO) to fine it £90,000 over a breach of the Data Protection Act that it had self-reported.
The trust's appeal to the Upper Tribunal failed because it would be wrong for immunity from fines to automatically follow self-reporting a data breach. It would be an 'arbitrary' outcome that would undermine the effectiveness of and public confidence in the regulatory regime.
Businesses are advised to make sure that they are proactive when detecting data breaches by self-reporting, and dealing with the breaches by following the ICO's advice on containment and recovery.
Download guidance on data security breach management from the ICO website
Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.
Copyright © Atom Content Marketing