Experts believe government may be liable for data management breaches
Despite its suspension of the company allegedly guilty of improperly managing data, the Home Office may find itself accountable for breaching data requirements, say experts.
The Home Office last week announced that its contract with PA Consulting Group was to be terminated in light of its failure to provide adequate security measures when handling the personal data of thousands of convicted criminals.
Tom Morrison, associate at Rollits Solicitors, believes that the Home Office may yet be liable. “Whether the buck stops with the Home Office or the company is a moot point. If PA Consulting is held to be the Home Office’s data processor under the Data Protection Act 1998 and if the Home Office remains the data controller, then primary liability for the breach rests with the Home Office,” he says.
He continues:“If the information commissioner chose to get involved, it is likely that both the Home Office and the company would be brought to task, particularly if it is felt that appropriate organisational and technical measures were not in place to prevent accidental loss, damage or disclosure.”
Morrison says that recent changes to the law mean that once a new monetary penalty notices regime has been implemented, businesses that flout the Act may be subjected to fines directly imposed by the information commissioner, rather than through the courts, although guidance governing how such fi nes will be administered has not yet been put in place.
According to Morrison, it is imperative that appropriate safeguards are put in place to reduce the likelihood of data breaches.
He suggests that the termination of the group’s contract may help convince the private sector that, if it cannot demonstrate that it takes data security seriously, it can expect to find it much harder to win public sector contracts in the future.