Question to the Ministry of Justice:

To ask the Secretary of State for Justice, what requirements there are for (a) the Government and its agencies and (b) organisations and corporations to report the loss of an individual's personal information.

The Data Protection Act 1998 (DPA) does not place a legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data. However, the Information Commissioner’s Office (ICO) has made clear that serious breaches should be brought to their attention. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting their responsibilities under the DPA. The DPA does not define ‘serious breaches’ but the ICO have produced guidance to assist data controllers when deciding whether to report a breach. The guidance can be found on its website at: www.ico.org.uk.

The ICO has a range of tools to allow it to respond robustly and to make sure that private and public sector organisations meet their information rights obligations, such as issuing monetary penalty notices, requiring an organisation(s) to pay up to £500,000 for serious breaches of the DPA.