MPs will today debate making reckless or repeated security breaches in data handling a civil offence, following pressure from Liberal Democrat peers.

Commenting, Liberal Democrat Home Affairs Spokesperson in the House of Lords, Baroness [Sue] Miller said:

"We welcome the Government’s decision to adopt the Liberal Democrat amendment with minor changes.

"Until now data controllers in both public and private sectors got off scot free even if they were totally negligent with people’s personal data.

"The negligent loss of private information should now be treated with the seriousness it deserves."

In the House of Lords, the following Liberal Democrat amendment was won by four votes as part of the Criminal Justice and Immigration Bill:

After Clause 76
BARONESS MILLER OF CHILTHORNE DOMER
LORD WALLACE OF TANKERNESS
95 Insert the following new Clause-
"Data protection: additional offences
(1) After section 55 of the Data Protection Act 1998 (c. 29) insert-
"55A Data protection: additional offences
(1) A data controller must not-
(a) intentionally or recklessly disclose information contained in personal data to another person,
(b) repeatedly and negligently allow information to be contained in personal data to be disclosed, or
(c) intentionally or recklessly fail to comply with duties under section 4(4).
(2) Subsection (1)(a) does not apply if the data controller can show that the disclosure-
(a) was necessary for the purpose of preventing or detecting crime,
(b) was required or authorised by or under any enactment, by any rule of law, or by the order of a court, or
(c) was justified in the particular circumstances as being in the public interest.
(3) This section shall apply whether or not the data controller is-
(a) a relevant authority under section 29, or
(b) exercising a relevant function under section 31.
(4) A data controller who contravenes subsection (1) is guilty of an offence."
(2) In section 63 of the Data Protection Act 1998, omit subsection (5)."

The Government has conceded on the principle of this amendment. They have tabled an amendment to be debated in the Commons which ensures that the Information Commissioner can serve a notice on any data controller (both public and private sector) to pay a monetary penalty if he's satisfied that there has been a deliberate contravention of section 4(4) of the Data Protection Act or if the data controller knew that there was a risk of the contravention occuring and failed to take reasonable steps to prevent the contravention. Section 4(4) of the DPA states that it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.