answer text |
<p /> <p>The Data Protection Act 1998 (DPA) does not place a legal obligation on data
controllers to report breaches of security which result in loss, release or corruption
of personal data. However, the Information Commissioner’s Office (ICO) has made clear
that serious breaches should be brought to their attention. The nature of the breach
or loss can then be considered together with whether the data controller is properly
meeting their responsibilities under the DPA. The DPA does not define ‘serious breaches’
but the ICO have produced guidance to assist data controllers when deciding whether
to report a breach. The guidance can be found on its website at: www.ico.org.uk.</p><p>The
ICO has a range of tools to allow it to respond robustly and to make sure that private
and public sector organisations meet their information rights obligations, such as
issuing monetary penalty notices, requiring an organisation(s) to pay up to £500,000
for serious breaches of the DPA.</p>
|
|