UK NHS & Disclosure: A Moral Imperative Example
From Silicon.com, “Pressure grows for UK data loss disclosure” [link to http://software.silicon.com/security/0,39024655,39166396,00.htm?r=49 no longer works]:
As a spokeswoman for the Information Commissioner’s Office told silicon.com last year: “There is nothing in the Data Protection Act that legally obliges companies to inform customers when these things occur.”
But, from the BBC, “Children’s details taken in theft:”
Health bosses in Nottinghamshire have issued a warning after a laptop containing information on about 11,000 young children was stolen.
I believe this to be an example of the moral imperative around breach disclosure. There’s no legal obligation, but there is an ethical one, and the NHS knows it.
Thanks to Antonomasia for the BBC story; the laptop has since been recovered, but it’s unclear if any data was copied.
Morality is relative. The NHS may pipe up, after all they cannot lose market share (can they? Ignorant American speaking here). British banks and retailers, OTOH….well, I’ll let Ross Anderson do the talking:
“We need a breach reporting law in the UK” — Ross Anderson, 2007-03-30
The NHS can lose political support and public confidence. That they’ve chosen to be transparent is good and shows trust in the public.