Will they have to write to everyone in the entire country?

[Dave Birch] Some people think that data breach legislation is a useful way to force companies to take their data protection responsibilities seriously. Personally, I’m not entirely convinced but I’d be very happy to hear the arguments from either side. If I got a letter from, say, Tesco saying that one of their systems had been compromised and some people’s personal details had been stolen, then I’d just chuck it in the recycling since — like most other people, I imagine — I don’t really care and I’ve no idea what to do with the information if I did. As it happens, my Tesco loyalty card isn’t in my real name anyway. But suppose — just suppose — that it is the government itself that is compromised? Do then they have to write to every single person in the country?

Technorati Tags: government, identity, privacy

Sounds ridiculous? Look at the news from Ireland, where it has emerged that a civil servant — from the Data Protection Section (!) — passed information from government databases to his criminal brother. The brother used it to burgle one man and attempt to extort money from three businessmen. The civil servant told investigators that it is “common practice” to look up data on friends, family and acquaintances. Apparently there have been a number of other breaches since, with civil servants leaking sensitive information to third parties.

I’m not seeking to draw attention to the Irish breach, since I’m sure that the same things happen in other countries (including the U.K.), just pointing out that data breach legislation might need to cover matters more sensitive than credit card numbers. So what is the right answer?

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]