UK.gov delays new data breach powers

The government has failed to meet its own deadlines to bring in new powers for the Information Commissioner's Office (ICO) to fine companies who lose personal data.

The Ministry of Justice won't say when it plans to publish the secondary legislation needed to set the fines or why it did not meet its March target.

A spokesman said: "The Criminal Justice and Immigration Act 2008 amended the Data Protection Act and introduced a power for the Information Commissioner to impose civil monetary penalties on data controllers that knowingly or recklessly commit serious contravention of the data protection principles (including security).

"We are committed to bringing these provisions into force as soon as possible."

Changes to the Data Protection Act were proposed following a rash of high profile data losses by the government and private companies in 2007. The ICO lobbied for the power to impose civil penalties on those who fail to protect privacy.

Most of its European counterpart data watchdogs have similar powers.

An ICO spokeswoman said it had submitted to the Ministy of Justice's consultation on the powers, and was awaiting the outcome.

This week the security industry called on the government to publish its plans. Data protection specialist FutureSoft said it understood officials were set a target to implement a civil penalties regime by the summer parliamentary recess "at the latest", but noted "there is, as yet, no sign of the statutory guidance". ®